libselinux does not work properly in upstart/initrd

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://bugzilla.redhat.com/show_bug.cgi?id=434793

The way the upstart initrd works is to run nash with a builtin
loadpolicy.  The problem is nash starts before the /sysmount files
system is mounted, so libselinux does not have an /etc/selinux/config to
read.  It defaults to targeted.  So when nash finally executes
loadpolicy (selinux_init_load_policy) it has the wrong config.
Switching to any other type of policy will fail and
selinux_init_load_policy will look for targeted.

I changed this function to reload the config, to fix this problem.

I think I did all the hidden stuff correctly.  I don't think we want to
expose these functions.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfG8GYACgkQrlYvE4MpobNudgCg25fnGfQ6WNyzGiMckpfXy11O
0i8AnjskiEKZX/84EKnpjwujdPydUJEz
=Ku86
-----END PGP SIGNATURE-----

[-- Attachment #2: diff --]
[-- Type: text/plain, Size: 2325 bytes --]

diff --exclude-from=exclude -N -u -r nsalibselinux/src/load_policy.c libselinux-2.0.57/src/load_policy.c
--- nsalibselinux/src/load_policy.c	2008-02-13 11:16:14.000000000 -0500
+++ libselinux-2.0.57/src/load_policy.c	2008-02-28 11:11:20.000000000 -0500
@@ -308,6 +308,13 @@
 	FILE *cfg;
 	char *buf;
 
+
+	/*
+	  Reinitialize the library, so chroot will work correctly.
+	 */
+	fini_selinux_policyroot();
+	init_selinux_config();
+
 	/*
 	 * Get desired mode (disabled, permissive, enforcing) from 
 	 * /etc/selinux/config. 
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_config.c libselinux-2.0.57/src/selinux_config.c
--- nsalibselinux/src/selinux_config.c	2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_config.c	2008-02-28 11:10:01.000000000 -0500
@@ -127,9 +127,9 @@
 static char *selinux_policyroot = NULL;
 static char *selinux_rootpath = NULL;
 
-static void init_selinux_config(void) __attribute__ ((constructor));
+void init_selinux_config(void) __attribute__ ((constructor));
 
-static void init_selinux_config(void)
+void init_selinux_config(void)
 {
 	int i, *intptr;
 	size_t line_len;
@@ -207,10 +207,11 @@
 		    == -1)
 			return;
 }
+hidden_def(init_selinux_config)
 
-static void fini_selinux_policyroot(void) __attribute__ ((destructor));
+void fini_selinux_policyroot(void) __attribute__ ((destructor));
 
-static void fini_selinux_policyroot(void)
+void fini_selinux_policyroot(void)
 {
 	int i;
 	free(selinux_policyroot);
@@ -222,6 +223,7 @@
 	free(selinux_policytype);
 	selinux_policytype = NULL;
 }
+hidden_def(fini_selinux_policyroot)
 
 static const char *get_path(int idx)
 {
diff --exclude-from=exclude -N -u -r nsalibselinux/src/selinux_internal.h libselinux-2.0.57/src/selinux_internal.h
--- nsalibselinux/src/selinux_internal.h	2007-08-03 16:02:56.000000000 -0400
+++ libselinux-2.0.57/src/selinux_internal.h	2008-02-28 11:11:04.000000000 -0500
@@ -80,6 +80,13 @@
 hidden_proto(security_get_initial_context);
 hidden_proto(security_get_initial_context_raw);
 
+extern void init_selinux_config(void) hidden;
+extern void fini_selinux_policyroot(void) hidden;
+
+hidden_proto(init_selinux_config);
+hidden_proto(fini_selinux_policyroot);
+
 extern int load_setlocaldefs hidden;
 extern int require_seusers hidden;
 extern int selinux_page_size hidden;
+

[-- Attachment #3: diff.sig --]
[-- Type: application/octet-stream, Size: 72 bytes --]