* error: too many arguments to function 'security_getenforce'
@ 2009-08-13 3:30 Justin Mattock
2009-08-13 5:49 ` Shintaro Fujiwara
2009-08-13 17:35 ` Daniel J Walsh
0 siblings, 2 replies; 7+ messages in thread
From: Justin Mattock @ 2009-08-13 3:30 UTC (permalink / raw)
To: SE-Linux
Hello,
I've spent the past few days trying to
find a correct patch for sysvinit-2.86 to load
the policy. but seems to keep hitting errors.
I've made it as far as this:
gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX init.c
init.c: In function 'load_policy':
init.c:107:3: error: too many arguments to function 'security_getenforce'
init.c:120:0: warning: "MNT_DETACH" redefined
/usr/include/sys/mount.h:102:0: note: this is the location of the
previous definition
init.c:130:7: warning: too many arguments for format
init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
qualifiers from pointer target type
/usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
argument is of type 'const char *'
init.c: In function 're_exec':
init.c:2040:2: warning: missing sentinel in function call
make: *** [init.o] Error 1
make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
seems this is the only error showing up if I use the -i option
from make.
the patch looks like this:
(only init.c/Makefile for now until I can get this
correct)
starting at line 83
} while(0)
#ifdef WITH_SELINUX
#include <sys/mman.h>
#include <selinux/selinux.h>
#include <sepol/sepol.h>
#include <sys/mount.h>
/* Mount point for selinuxfs. */
#define SELINUXMNT "/selinux/"
int enforcing = -1; /* SELinux enforcing mode */
static int load_policy(int *enforce)
{
int fd=-1,ret=-1;
int rc=0, orig_enforce;
struct stat sb;
void *map;
char policy_file[PATH_MAX];
int policy_version=0;
extern char *selinux_mnt;
FILE *cfg;
char buf[4096];
int seconfig = -2;
security_getenforce(&seconfig);
mount("none", "/proc", "proc", 0, 0);
cfg = fopen("/proc/cmdline","r");
if (cfg) {
char *tmp;
if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
if (tmp == buf || isspace(*(tmp-1))) {
enforcing=atoi(tmp+10);
}
}
fclose(cfg);
}
#define MNT_DETACH 2
umount2("/proc",MNT_DETACH);
if (enforcing >=0)
*enforce = enforcing;
else if (seconfig == 1)
*enforce = 1;
if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
if (errno == ENODEV) {
printf("SELinux not supported by kernel:
%s\n",SELINUXMNT,strerror(errno));
*enforce = 0;
} else {
printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
}
return ret;
}
selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
policy_version=security_policyvers();
if (policy_version < 0) {
printf( "Can't get policy version: %s\n", strerror(errno));
goto UMOUNT;
}
orig_enforce = rc = security_getenforce();
if (rc < 0) {
printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
goto UMOUNT;
}
if (enforcing >= 0) {
*enforce = enforcing;
} else if (seconfig == -1) {
*enforce = 0;
rc = security_disable();
if (rc == 0) umount(SELINUXMNT);
if (rc < 0) {
rc = security_setenforce(0);
if (rc < 0) {
printf("Can't disable SELinux: %s\n", strerror(errno));
goto UMOUNT;
}
}
ret = 0;
goto UMOUNT;
} else if (seconfig >= 0) {
*enforce = seconfig;
if (orig_enforce != *enforce) {
rc = security_setenforce(seconfig);
if (rc < 0) {
printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
goto UMOUNT;
}
}
}
snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
fd = open(policy_file, O_RDONLY);
if (fd < 0) {
/* Check previous version to see if old policy is available
*/
snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
fd = open(policy_file, O_RDONLY);
if (fd < 0) {
printf( "Can't open '%s.%d': %s\n",
selinux_binary_policy_path(),policy_version,strerror(errno));
goto UMOUNT;
}
}
if (fstat(fd, &sb) < 0) {
printf("Can't stat '%s': %s\n",
policy_file, strerror(errno));
goto UMOUNT;
}
map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
if (map == MAP_FAILED) {
printf( "Can't map '%s': %s\n",
policy_file, strerror(errno));
goto UMOUNT;
}
/* Set booleans based on a booleans configuration file. */
ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
if (ret < 0) {
if (errno == ENOENT || errno == EINVAL) {
/* No booleans file or stale booleans in the file; non-fatal. */
printf("Warning! Error while setting booleans: %s\n"
, strerror(errno));
} else {
printf("Error while setting booleans: %s\n",
strerror(errno));
goto UMOUNT;
}
}
printf("Loading security policy\n");
ret=security_load_policy(map, sb.st_size);
if (ret < 0) {
printf("security_load_policy failed\n");
}
UMOUNT:
/*umount(SELINUXMNT); */
if ( fd >= 0) {
close(fd);
}
return(ret);
}
#endif
/* Version information */
line 2818
#ifdef WITH_SELINUX
if (getenv("SELINUX_INIT") == NULL) {
putenv("SELINUX_INIT=YES");
if (load_policy(&enforcing) == 0 ) {
execv(myname, argv);
} else {
if (enforcing > 0) {
/* SELinux in enforcing mode but load_policy failed */
/* At this point, we probably can't open /dev/console, so
log() won't work */
fprintf(stderr,"Enforcing mode requested but no
policy loaded. Halting now.\n");
exit(1);
}
}
}
#endif
and the Makefile has these in it:
line 12
CFLAGS = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
line 52
ifeq ($(WITH_SELINUX),yes)
SELINUX_DEF=-DWITH_SELINUX
INIT_SELIBS=-lsepol -lselinux
SULOGIN_SELIBS=-lselinux
else
SELINUX_DEF=
INIT_SELIBS=
SULOGIN_SELIBS=
endif
line 71
init: init.o init_utmp.o
$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
line 103
init.o: init.c init.h set.h reboot.h initreq.h
$(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
Seems I found a patch from 2003 that
did load the policy but segfaulted after that.
should I even bother with this since there are
newer approaches?
--
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 3:30 error: too many arguments to function 'security_getenforce' Justin Mattock
@ 2009-08-13 5:49 ` Shintaro Fujiwara
2009-08-13 15:36 ` Justin P. Mattock
2009-08-13 17:35 ` Daniel J Walsh
1 sibling, 1 reply; 7+ messages in thread
From: Shintaro Fujiwara @ 2009-08-13 5:49 UTC (permalink / raw)
To: Justin Mattock, selinux
security_getenforce(&seconfig);
is wrong.
see
[fujiwara@notepc ~]$ cat -n /usr/include/selinux/selinux.h|grep
security_getenforce
314 extern int security_getenforce(void);
2009/8/13 Justin Mattock <justinmattock@gmail.com>:
> Hello,
> I've spent the past few days trying to
> find a correct patch for sysvinit-2.86 to load
> the policy. but seems to keep hitting errors.
>
> I've made it as far as this:
> gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX init.c
> init.c: In function 'load_policy':
> init.c:107:3: error: too many arguments to function 'security_getenforce'
> init.c:120:0: warning: "MNT_DETACH" redefined
> /usr/include/sys/mount.h:102:0: note: this is the location of the
> previous definition
> init.c:130:7: warning: too many arguments for format
> init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
> qualifiers from pointer target type
> /usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
> argument is of type 'const char *'
> init.c: In function 're_exec':
> init.c:2040:2: warning: missing sentinel in function call
> make: *** [init.o] Error 1
> make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
>
> seems this is the only error showing up if I use the -i option
> from make.
>
> the patch looks like this:
> (only init.c/Makefile for now until I can get this
> correct)
>
> starting at line 83
>
> } while(0)
>
> #ifdef WITH_SELINUX
> #include <sys/mman.h>
> #include <selinux/selinux.h>
> #include <sepol/sepol.h>
> #include <sys/mount.h>
>
> /* Mount point for selinuxfs. */
> #define SELINUXMNT "/selinux/"
> int enforcing = -1; /* SELinux enforcing mode */
>
>
> static int load_policy(int *enforce)
> {
> int fd=-1,ret=-1;
> int rc=0, orig_enforce;
> struct stat sb;
> void *map;
> char policy_file[PATH_MAX];
> int policy_version=0;
> extern char *selinux_mnt;
> FILE *cfg;
> char buf[4096];
> int seconfig = -2;
>
> security_getenforce(&seconfig);
>
> mount("none", "/proc", "proc", 0, 0);
> cfg = fopen("/proc/cmdline","r");
> if (cfg) {
> char *tmp;
> if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
> if (tmp == buf || isspace(*(tmp-1))) {
> enforcing=atoi(tmp+10);
> }
> }
> fclose(cfg);
> }
> #define MNT_DETACH 2
> umount2("/proc",MNT_DETACH);
>
> if (enforcing >=0)
> *enforce = enforcing;
> else if (seconfig == 1)
> *enforce = 1;
>
> if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
> if (errno == ENODEV) {
> printf("SELinux not supported by kernel:
> %s\n",SELINUXMNT,strerror(errno));
> *enforce = 0;
> } else {
> printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
> }
> return ret;
> }
>
> selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
>
> policy_version=security_policyvers();
> if (policy_version < 0) {
> printf( "Can't get policy version: %s\n", strerror(errno));
> goto UMOUNT;
> }
>
> orig_enforce = rc = security_getenforce();
> if (rc < 0) {
> printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> if (enforcing >= 0) {
> *enforce = enforcing;
> } else if (seconfig == -1) {
> *enforce = 0;
> rc = security_disable();
> if (rc == 0) umount(SELINUXMNT);
> if (rc < 0) {
> rc = security_setenforce(0);
> if (rc < 0) {
> printf("Can't disable SELinux: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> ret = 0;
> goto UMOUNT;
> } else if (seconfig >= 0) {
> *enforce = seconfig;
> if (orig_enforce != *enforce) {
> rc = security_setenforce(seconfig);
> if (rc < 0) {
> printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> }
>
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> /* Check previous version to see if old policy is available
> */
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> printf( "Can't open '%s.%d': %s\n",
> selinux_binary_policy_path(),policy_version,strerror(errno));
> goto UMOUNT;
> }
> }
>
> if (fstat(fd, &sb) < 0) {
> printf("Can't stat '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
> map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
> if (map == MAP_FAILED) {
> printf( "Can't map '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
>
> /* Set booleans based on a booleans configuration file. */
> ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
> if (ret < 0) {
> if (errno == ENOENT || errno == EINVAL) {
> /* No booleans file or stale booleans in the file; non-fatal. */
> printf("Warning! Error while setting booleans: %s\n"
> , strerror(errno));
> } else {
> printf("Error while setting booleans: %s\n",
> strerror(errno));
> goto UMOUNT;
> }
> }
> printf("Loading security policy\n");
> ret=security_load_policy(map, sb.st_size);
> if (ret < 0) {
> printf("security_load_policy failed\n");
> }
>
> UMOUNT:
> /*umount(SELINUXMNT); */
> if ( fd >= 0) {
> close(fd);
> }
> return(ret);
> }
> #endif
>
> /* Version information */
>
>
> line 2818
> #ifdef WITH_SELINUX
> if (getenv("SELINUX_INIT") == NULL) {
> putenv("SELINUX_INIT=YES");
> if (load_policy(&enforcing) == 0 ) {
> execv(myname, argv);
> } else {
> if (enforcing > 0) {
> /* SELinux in enforcing mode but load_policy failed */
> /* At this point, we probably can't open /dev/console, so
> log() won't work */
> fprintf(stderr,"Enforcing mode requested but no
> policy loaded. Halting now.\n");
> exit(1);
> }
> }
> }
> #endif
>
>
>
> and the Makefile has these in it:
>
> line 12
> CFLAGS = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
>
> line 52
>
> ifeq ($(WITH_SELINUX),yes)
> SELINUX_DEF=-DWITH_SELINUX
> INIT_SELIBS=-lsepol -lselinux
> SULOGIN_SELIBS=-lselinux
> else
> SELINUX_DEF=
> INIT_SELIBS=
> SULOGIN_SELIBS=
> endif
>
>
> line 71
> init: init.o init_utmp.o
> $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
>
> line 103
> init.o: init.c init.h set.h reboot.h initreq.h
> $(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
>
>
> Seems I found a patch from 2003 that
> did load the policy but segfaulted after that.
>
> should I even bother with this since there are
> newer approaches?
>
>
> --
> Justin P. Mattock
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
--
http://intrajp.no-ip.com/ Home Page
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 5:49 ` Shintaro Fujiwara
@ 2009-08-13 15:36 ` Justin P. Mattock
0 siblings, 0 replies; 7+ messages in thread
From: Justin P. Mattock @ 2009-08-13 15:36 UTC (permalink / raw)
To: Shintaro Fujiwara; +Cc: selinux
Shintaro Fujiwara wrote:
> security_getenforce(&seconfig);
>
> is wrong.
>
> see
>
> [fujiwara@notepc ~]$ cat -n /usr/include/selinux/selinux.h|grep
> security_getenforce
> 314 extern int security_getenforce(void);
>
>
Great,
Can you or somebody help me in finding
a correct patch to load the policy at boot.
I find it hard to believe that such a security policy
would be lacking in this area.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 3:30 error: too many arguments to function 'security_getenforce' Justin Mattock
2009-08-13 5:49 ` Shintaro Fujiwara
@ 2009-08-13 17:35 ` Daniel J Walsh
2009-08-13 18:06 ` Justin P. Mattock
1 sibling, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2009-08-13 17:35 UTC (permalink / raw)
To: Justin Mattock; +Cc: SE-Linux
On 08/12/2009 11:30 PM, Justin Mattock wrote:
> Hello,
> I've spent the past few days trying to
> find a correct patch for sysvinit-2.86 to load
> the policy. but seems to keep hitting errors.
>
> I've made it as far as this:
> gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX init.c
> init.c: In function 'load_policy':
> init.c:107:3: error: too many arguments to function 'security_getenforce'
> init.c:120:0: warning: "MNT_DETACH" redefined
> /usr/include/sys/mount.h:102:0: note: this is the location of the
> previous definition
> init.c:130:7: warning: too many arguments for format
> init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
> qualifiers from pointer target type
> /usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
> argument is of type 'const char *'
> init.c: In function 're_exec':
> init.c:2040:2: warning: missing sentinel in function call
> make: *** [init.o] Error 1
> make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
>
> seems this is the only error showing up if I use the -i option
> from make.
>
> the patch looks like this:
> (only init.c/Makefile for now until I can get this
> correct)
>
> starting at line 83
>
> } while(0)
>
> #ifdef WITH_SELINUX
> #include <sys/mman.h>
> #include <selinux/selinux.h>
> #include <sepol/sepol.h>
> #include <sys/mount.h>
>
> /* Mount point for selinuxfs. */
> #define SELINUXMNT "/selinux/"
> int enforcing = -1; /* SELinux enforcing mode */
>
>
> static int load_policy(int *enforce)
> {
> int fd=-1,ret=-1;
> int rc=0, orig_enforce;
> struct stat sb;
> void *map;
> char policy_file[PATH_MAX];
> int policy_version=0;
> extern char *selinux_mnt;
> FILE *cfg;
> char buf[4096];
> int seconfig = -2;
>
> security_getenforce(&seconfig);
>
> mount("none", "/proc", "proc", 0, 0);
> cfg = fopen("/proc/cmdline","r");
> if (cfg) {
> char *tmp;
> if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
> if (tmp == buf || isspace(*(tmp-1))) {
> enforcing=atoi(tmp+10);
> }
> }
> fclose(cfg);
> }
> #define MNT_DETACH 2
> umount2("/proc",MNT_DETACH);
>
> if (enforcing >=0)
> *enforce = enforcing;
> else if (seconfig == 1)
> *enforce = 1;
>
> if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
> if (errno == ENODEV) {
> printf("SELinux not supported by kernel:
> %s\n",SELINUXMNT,strerror(errno));
> *enforce = 0;
> } else {
> printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
> }
> return ret;
> }
>
> selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
>
> policy_version=security_policyvers();
> if (policy_version < 0) {
> printf( "Can't get policy version: %s\n", strerror(errno));
> goto UMOUNT;
> }
>
> orig_enforce = rc = security_getenforce();
> if (rc < 0) {
> printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> if (enforcing >= 0) {
> *enforce = enforcing;
> } else if (seconfig == -1) {
> *enforce = 0;
> rc = security_disable();
> if (rc == 0) umount(SELINUXMNT);
> if (rc < 0) {
> rc = security_setenforce(0);
> if (rc < 0) {
> printf("Can't disable SELinux: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> ret = 0;
> goto UMOUNT;
> } else if (seconfig >= 0) {
> *enforce = seconfig;
> if (orig_enforce != *enforce) {
> rc = security_setenforce(seconfig);
> if (rc < 0) {
> printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> }
>
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> /* Check previous version to see if old policy is available
> */
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> printf( "Can't open '%s.%d': %s\n",
> selinux_binary_policy_path(),policy_version,strerror(errno));
> goto UMOUNT;
> }
> }
>
> if (fstat(fd, &sb) < 0) {
> printf("Can't stat '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
> map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
> if (map == MAP_FAILED) {
> printf( "Can't map '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
>
> /* Set booleans based on a booleans configuration file. */
> ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
> if (ret < 0) {
> if (errno == ENOENT || errno == EINVAL) {
> /* No booleans file or stale booleans in the file; non-fatal. */
> printf("Warning! Error while setting booleans: %s\n"
> , strerror(errno));
> } else {
> printf("Error while setting booleans: %s\n",
> strerror(errno));
> goto UMOUNT;
> }
> }
> printf("Loading security policy\n");
> ret=security_load_policy(map, sb.st_size);
> if (ret < 0) {
> printf("security_load_policy failed\n");
> }
>
> UMOUNT:
> /*umount(SELINUXMNT); */
> if ( fd >= 0) {
> close(fd);
> }
> return(ret);
> }
> #endif
>
> /* Version information */
>
>
> line 2818
> #ifdef WITH_SELINUX
> if (getenv("SELINUX_INIT") == NULL) {
> putenv("SELINUX_INIT=YES");
> if (load_policy(&enforcing) == 0 ) {
> execv(myname, argv);
> } else {
> if (enforcing > 0) {
> /* SELinux in enforcing mode but load_policy failed */
> /* At this point, we probably can't open /dev/console, so
> log() won't work */
> fprintf(stderr,"Enforcing mode requested but no
> policy loaded. Halting now.\n");
> exit(1);
> }
> }
> }
> #endif
>
>
>
> and the Makefile has these in it:
>
> line 12
> CFLAGS = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
>
> line 52
>
> ifeq ($(WITH_SELINUX),yes)
> SELINUX_DEF=-DWITH_SELINUX
> INIT_SELIBS=-lsepol -lselinux
> SULOGIN_SELIBS=-lselinux
> else
> SELINUX_DEF=
> INIT_SELIBS=
> SULOGIN_SELIBS=
> endif
>
>
> line 71
> init: init.o init_utmp.o
> $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
>
> line 103
> init.o: init.c init.h set.h reboot.h initreq.h
> $(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
>
>
> Seems I found a patch from 2003 that
> did load the policy but segfaulted after that.
>
> should I even bother with this since there are
> newer approaches?
>
>
Does
selinux_mkload_policy(1);
Work for you?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 17:35 ` Daniel J Walsh
@ 2009-08-13 18:06 ` Justin P. Mattock
2009-08-13 18:13 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Justin P. Mattock @ 2009-08-13 18:06 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE-Linux
Daniel J Walsh wrote:
>
> Does
>
> selinux_mkload_policy(1);
>
> Work for you?
>
>
I clipped part of the message to keep
things clean.
I'm going to be honest, I'm not that yet skilled
in fixing something like this.
with selinux_mkload_policy(1)
were would I put this?
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 18:06 ` Justin P. Mattock
@ 2009-08-13 18:13 ` Daniel J Walsh
2009-08-13 19:00 ` Justin P. Mattock
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2009-08-13 18:13 UTC (permalink / raw)
To: Justin P. Mattock; +Cc: SE-Linux
[-- Attachment #1: Type: text/plain, Size: 779 bytes --]
On 08/13/2009 02:06 PM, Justin P. Mattock wrote:
> Daniel J Walsh wrote:
>>
>> Does
>>
>> selinux_mkload_policy(1);
>>
>> Work for you?
>>
>>
> I clipped part of the message to keep
> things clean.
>
> I'm going to be honest, I'm not that yet skilled
> in fixing something like this.
>
> with selinux_mkload_policy(1)
> were would I put this?
>
> Justin P. Mattock
>
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Actually the function you probably want
selinux_init_load_policy
I attached the patch we used to use for sysvinit, before we moved to loading policy in the initrd.
[-- Attachment #2: sysvinit-selinux.patch --]
[-- Type: text/plain, Size: 2642 bytes --]
--- sysvinit-2.85/src/init.c.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/init.c 2005-10-14 14:16:24.000000000 -0400
@@ -48,6 +48,8 @@
#include <stdarg.h>
#include <sys/syslog.h>
#include <sys/time.h>
+#include <selinux/selinux.h>
+
#ifdef __i386__
# if (__GLIBC__ >= 2)
@@ -2513,6 +2515,7 @@
char *p;
int f;
int isinit;
+ int enforce = 0;
/* Get my own name */
if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2576,6 +2579,20 @@
maxproclen += strlen(argv[f]) + 1;
}
+ if (getenv("SELINUX_INIT") == NULL) {
+ putenv("SELINUX_INIT=YES");
+ if (selinux_init_load_policy(&enforce) == 0 ) {
+ execv(myname, argv);
+ } else {
+ if (enforce > 0) {
+ /* SELinux in enforcing mode but load_policy failed */
+ /* At this point, we probably can't open /dev/console, so log() won't work */
+ printf("Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+ exit(1);
+ }
+ }
+ }
+
/* Start booting. */
argv0 = argv[0];
argv[1] = NULL;
--- sysvinit-2.85/src/Makefile.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/Makefile 2005-10-14 14:16:24.000000000 -0400
@@ -32,7 +32,7 @@
all: $(PROGS)
init: init.o init_utmp.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
halt: halt.o ifdown.o hddown.o utmp.o reboot.h
$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -50,7 +50,7 @@
$(CC) $(LDFLAGS) -o $@ runlevel.o
sulogin: sulogin.o md5_broken.o md5_crypt_broken.o
- $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
+ $(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux
wall: dowall.o wall.o
$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
--- sysvinit-2.85/src/sulogin.c.selinux 2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/sulogin.c 2005-10-14 14:18:42.000000000 -0400
@@ -28,7 +28,9 @@
# include <crypt.h>
#endif
#include "md5.h"
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
#define CHECK_DES 1
#define CHECK_MD5 1
@@ -332,6 +335,19 @@
signal(SIGINT, SIG_DFL);
signal(SIGTSTP, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
+ if (is_selinux_enabled > 0) {
+ security_context_t scon=NULL;
+ char *seuser=NULL;
+ char *level=NULL;
+ if (getseuserbyname("root", &seuser, &level) == 0)
+ if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+ if (setexeccon(scon) != 0)
+ fprintf(stderr, "setexeccon faile\n");
+ freecon(scon);
+ }
+ free(seuser);
+ free(level);
+ }
execl(sushell, shell, NULL);
perror(sushell);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: error: too many arguments to function 'security_getenforce'
2009-08-13 18:13 ` Daniel J Walsh
@ 2009-08-13 19:00 ` Justin P. Mattock
0 siblings, 0 replies; 7+ messages in thread
From: Justin P. Mattock @ 2009-08-13 19:00 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SE-Linux
Daniel J Walsh wrote:
> On 08/13/2009 02:06 PM, Justin P. Mattock wrote:
>
>> Daniel J Walsh wrote:
>>
>>> Does
>>>
>>> selinux_mkload_policy(1);
>>>
>>> Work for you?
>>>
>>>
>>>
>> I clipped part of the message to keep
>> things clean.
>>
>> I'm going to be honest, I'm not that yet skilled
>> in fixing something like this.
>>
>> with selinux_mkload_policy(1)
>> were would I put this?
>>
>> Justin P. Mattock
>>
>>
>>
>> --
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>
>
> Actually the function you probably want
> selinux_init_load_policy
>
> I attached the patch we used to use for sysvinit, before we moved to loading policy in the initrd.
>
>
>
>
you are the renaissance man...
finally after racking my brain around this one
init finally loads the policy, of course with your assistance.
I owe you a nice cold one, just let me know if your
ever in the ventura county area.
(or if I head up to silicon valley just name your location of choice).
Thank you for this.
Justin P. Mattock
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2009-08-13 18:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-08-13 3:30 error: too many arguments to function 'security_getenforce' Justin Mattock
2009-08-13 5:49 ` Shintaro Fujiwara
2009-08-13 15:36 ` Justin P. Mattock
2009-08-13 17:35 ` Daniel J Walsh
2009-08-13 18:06 ` Justin P. Mattock
2009-08-13 18:13 ` Daniel J Walsh
2009-08-13 19:00 ` Justin P. Mattock
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.