From: Daniel J Walsh <dwalsh@redhat.com>
To: Justin Mattock <justinmattock@gmail.com>
Cc: SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: error: too many arguments to function 'security_getenforce'
Date: Thu, 13 Aug 2009 13:35:57 -0400 [thread overview]
Message-ID: <4A844EFD.7030000@redhat.com> (raw)
In-Reply-To: <dd18b0c30908122030l3e950054r1f3907a6dcde8db0@mail.gmail.com>
On 08/12/2009 11:30 PM, Justin Mattock wrote:
> Hello,
> I've spent the past few days trying to
> find a correct patch for sysvinit-2.86 to load
> the policy. but seems to keep hitting errors.
>
> I've made it as far as this:
> gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX init.c
> init.c: In function 'load_policy':
> init.c:107:3: error: too many arguments to function 'security_getenforce'
> init.c:120:0: warning: "MNT_DETACH" redefined
> /usr/include/sys/mount.h:102:0: note: this is the location of the
> previous definition
> init.c:130:7: warning: too many arguments for format
> init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
> qualifiers from pointer target type
> /usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
> argument is of type 'const char *'
> init.c: In function 're_exec':
> init.c:2040:2: warning: missing sentinel in function call
> make: *** [init.o] Error 1
> make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
>
> seems this is the only error showing up if I use the -i option
> from make.
>
> the patch looks like this:
> (only init.c/Makefile for now until I can get this
> correct)
>
> starting at line 83
>
> } while(0)
>
> #ifdef WITH_SELINUX
> #include <sys/mman.h>
> #include <selinux/selinux.h>
> #include <sepol/sepol.h>
> #include <sys/mount.h>
>
> /* Mount point for selinuxfs. */
> #define SELINUXMNT "/selinux/"
> int enforcing = -1; /* SELinux enforcing mode */
>
>
> static int load_policy(int *enforce)
> {
> int fd=-1,ret=-1;
> int rc=0, orig_enforce;
> struct stat sb;
> void *map;
> char policy_file[PATH_MAX];
> int policy_version=0;
> extern char *selinux_mnt;
> FILE *cfg;
> char buf[4096];
> int seconfig = -2;
>
> security_getenforce(&seconfig);
>
> mount("none", "/proc", "proc", 0, 0);
> cfg = fopen("/proc/cmdline","r");
> if (cfg) {
> char *tmp;
> if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
> if (tmp == buf || isspace(*(tmp-1))) {
> enforcing=atoi(tmp+10);
> }
> }
> fclose(cfg);
> }
> #define MNT_DETACH 2
> umount2("/proc",MNT_DETACH);
>
> if (enforcing >=0)
> *enforce = enforcing;
> else if (seconfig == 1)
> *enforce = 1;
>
> if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
> if (errno == ENODEV) {
> printf("SELinux not supported by kernel:
> %s\n",SELINUXMNT,strerror(errno));
> *enforce = 0;
> } else {
> printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
> }
> return ret;
> }
>
> selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
>
> policy_version=security_policyvers();
> if (policy_version < 0) {
> printf( "Can't get policy version: %s\n", strerror(errno));
> goto UMOUNT;
> }
>
> orig_enforce = rc = security_getenforce();
> if (rc < 0) {
> printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> if (enforcing >= 0) {
> *enforce = enforcing;
> } else if (seconfig == -1) {
> *enforce = 0;
> rc = security_disable();
> if (rc == 0) umount(SELINUXMNT);
> if (rc < 0) {
> rc = security_setenforce(0);
> if (rc < 0) {
> printf("Can't disable SELinux: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> ret = 0;
> goto UMOUNT;
> } else if (seconfig >= 0) {
> *enforce = seconfig;
> if (orig_enforce != *enforce) {
> rc = security_setenforce(seconfig);
> if (rc < 0) {
> printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
> goto UMOUNT;
> }
> }
> }
>
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> /* Check previous version to see if old policy is available
> */
> snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
> fd = open(policy_file, O_RDONLY);
> if (fd < 0) {
> printf( "Can't open '%s.%d': %s\n",
> selinux_binary_policy_path(),policy_version,strerror(errno));
> goto UMOUNT;
> }
> }
>
> if (fstat(fd, &sb) < 0) {
> printf("Can't stat '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
> map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
> if (map == MAP_FAILED) {
> printf( "Can't map '%s': %s\n",
> policy_file, strerror(errno));
> goto UMOUNT;
> }
>
>
> /* Set booleans based on a booleans configuration file. */
> ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
> if (ret < 0) {
> if (errno == ENOENT || errno == EINVAL) {
> /* No booleans file or stale booleans in the file; non-fatal. */
> printf("Warning! Error while setting booleans: %s\n"
> , strerror(errno));
> } else {
> printf("Error while setting booleans: %s\n",
> strerror(errno));
> goto UMOUNT;
> }
> }
> printf("Loading security policy\n");
> ret=security_load_policy(map, sb.st_size);
> if (ret < 0) {
> printf("security_load_policy failed\n");
> }
>
> UMOUNT:
> /*umount(SELINUXMNT); */
> if ( fd >= 0) {
> close(fd);
> }
> return(ret);
> }
> #endif
>
> /* Version information */
>
>
> line 2818
> #ifdef WITH_SELINUX
> if (getenv("SELINUX_INIT") == NULL) {
> putenv("SELINUX_INIT=YES");
> if (load_policy(&enforcing) == 0 ) {
> execv(myname, argv);
> } else {
> if (enforcing > 0) {
> /* SELinux in enforcing mode but load_policy failed */
> /* At this point, we probably can't open /dev/console, so
> log() won't work */
> fprintf(stderr,"Enforcing mode requested but no
> policy loaded. Halting now.\n");
> exit(1);
> }
> }
> }
> #endif
>
>
>
> and the Makefile has these in it:
>
> line 12
> CFLAGS = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
>
> line 52
>
> ifeq ($(WITH_SELINUX),yes)
> SELINUX_DEF=-DWITH_SELINUX
> INIT_SELIBS=-lsepol -lselinux
> SULOGIN_SELIBS=-lselinux
> else
> SELINUX_DEF=
> INIT_SELIBS=
> SULOGIN_SELIBS=
> endif
>
>
> line 71
> init: init.o init_utmp.o
> $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
>
> line 103
> init.o: init.c init.h set.h reboot.h initreq.h
> $(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
>
>
> Seems I found a patch from 2003 that
> did load the policy but segfaulted after that.
>
> should I even bother with this since there are
> newer approaches?
>
>
Does
selinux_mkload_policy(1);
Work for you?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2009-08-13 17:36 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-13 3:30 error: too many arguments to function 'security_getenforce' Justin Mattock
2009-08-13 5:49 ` Shintaro Fujiwara
2009-08-13 15:36 ` Justin P. Mattock
2009-08-13 17:35 ` Daniel J Walsh [this message]
2009-08-13 18:06 ` Justin P. Mattock
2009-08-13 18:13 ` Daniel J Walsh
2009-08-13 19:00 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A844EFD.7030000@redhat.com \
--to=dwalsh@redhat.com \
--cc=justinmattock@gmail.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.