error: too many arguments to function 'security_getenforce'

error: too many arguments to function 'security_getenforce'

[Justin Mattock]

Hello,
I've spent the past few days trying to
find a correct patch for sysvinit-2.86 to load
the policy. but seems to keep hitting errors.

I've made it as far as this:
gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX  init.c
init.c: In function 'load_policy':
init.c:107:3: error: too many arguments to function 'security_getenforce'
init.c:120:0: warning: "MNT_DETACH" redefined
/usr/include/sys/mount.h:102:0: note: this is the location of the
previous definition
init.c:130:7: warning: too many arguments for format
init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
qualifiers from pointer target type
/usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
argument is of type 'const char *'
init.c: In function 're_exec':
init.c:2040:2: warning: missing sentinel in function call
make: *** [init.o] Error 1
make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'

seems this is the only error showing up if I use the -i option
from make.

the patch looks like this:
(only init.c/Makefile for now until I can get this
correct)

starting at line 83

		} while(0)

#ifdef WITH_SELINUX
#include <sys/mman.h>
#include <selinux/selinux.h>
#include <sepol/sepol.h>
#include <sys/mount.h>

/* Mount point for selinuxfs. */
#define SELINUXMNT "/selinux/"
int enforcing = -1;            /* SELinux enforcing mode */


static int load_policy(int *enforce)
{
  int fd=-1,ret=-1;
  int rc=0, orig_enforce;
  struct stat sb;
  void *map;
  char policy_file[PATH_MAX];
  int policy_version=0;
  extern char *selinux_mnt;
  FILE *cfg;
  char buf[4096];
  int seconfig = -2;

  security_getenforce(&seconfig);

  mount("none", "/proc", "proc", 0, 0);
 cfg = fopen("/proc/cmdline","r");
  if (cfg) {
    char *tmp;
    if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
      if (tmp == buf || isspace(*(tmp-1))) {
        enforcing=atoi(tmp+10);
      }
    }
    fclose(cfg);
  }
#define MNT_DETACH 2
  umount2("/proc",MNT_DETACH);

  if (enforcing >=0)
    *enforce = enforcing;
  else if (seconfig == 1)
    *enforce = 1;

  if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
    if (errno == ENODEV) {
      printf("SELinux not supported by kernel:
%s\n",SELINUXMNT,strerror(errno));
      *enforce = 0;
    } else {
      printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
    }
    return ret;
  }

  selinux_mnt = SELINUXMNT; /* set manually since we mounted it */

  policy_version=security_policyvers();
  if (policy_version < 0) {
    printf( "Can't get policy version: %s\n", strerror(errno));
    goto UMOUNT;
  }

  orig_enforce = rc = security_getenforce();
  if (rc < 0) {
    printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
    goto UMOUNT;
  }
  if (enforcing >= 0) {
    *enforce = enforcing;
  } else if (seconfig == -1) {
    *enforce = 0;
    rc = security_disable();
    if (rc == 0) umount(SELINUXMNT);
   if (rc < 0) {
     rc = security_setenforce(0);
     if (rc < 0) {
       printf("Can't disable SELinux: %s\n", strerror(errno));
       goto UMOUNT;
      }
    }
    ret = 0;
    goto UMOUNT;
  } else if (seconfig >= 0) {
    *enforce = seconfig;
    if (orig_enforce != *enforce) {
      rc = security_setenforce(seconfig);
      if (rc < 0) {
        printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
        goto UMOUNT;
      }
   }
  }

  snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
  fd = open(policy_file, O_RDONLY);
  if (fd < 0) {
    /* Check previous version to see if old policy is available
     */
    snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
    fd = open(policy_file, O_RDONLY);
    if (fd < 0) {
      printf( "Can't open '%s.%d':  %s\n",
          selinux_binary_policy_path(),policy_version,strerror(errno));
      goto UMOUNT;
    }
  }

  if (fstat(fd, &sb) < 0) {
  printf("Can't stat '%s':  %s\n",
        policy_file, strerror(errno));
   goto UMOUNT;
 }

  map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
  if (map == MAP_FAILED) {
    printf( "Can't map '%s':  %s\n",
       policy_file, strerror(errno));
    goto UMOUNT;
  }


  /* Set booleans based on a booleans configuration file. */
  ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
  if (ret < 0) {
    if (errno == ENOENT || errno == EINVAL) {
      /* No booleans file or stale booleans in the file; non-fatal. */
      printf("Warning!  Error while setting booleans:  %s\n"
          , strerror(errno));
    } else {
      printf("Error while setting booleans:  %s\n",
          strerror(errno));
      goto UMOUNT;
    }
 }
  printf("Loading security policy\n");
  ret=security_load_policy(map, sb.st_size);
  if (ret < 0) {
    printf("security_load_policy failed\n");
  }

 UMOUNT:
  /*umount(SELINUXMNT); */
  if ( fd >= 0) {
    close(fd);
 }
  return(ret);
}
#endif

/* Version information */


line 2818
#ifdef WITH_SELINUX
       if (getenv("SELINUX_INIT") == NULL) {
         putenv("SELINUX_INIT=YES");
         if (load_policy(&enforcing) == 0 ) {
           execv(myname, argv);
         } else {
           if (enforcing > 0) {
             /* SELinux in enforcing mode but load_policy failed */
             /* At this point, we probably can't open /dev/console, so
log() won't work */
                   fprintf(stderr,"Enforcing mode requested but no
policy loaded. Halting now.\n");
             exit(1);
           }
         }
       }
#endif



and the Makefile has these in it:

line 12
CFLAGS	= -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX

line 52

ifeq ($(WITH_SELINUX),yes)
  SELINUX_DEF=-DWITH_SELINUX
  INIT_SELIBS=-lsepol -lselinux
  SULOGIN_SELIBS=-lselinux
else
  SELINUX_DEF=
  INIT_SELIBS=
  SULOGIN_SELIBS=
endif


line 71
init:		init.o init_utmp.o
		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)

line 103
init.o:		init.c init.h set.h reboot.h initreq.h
		$(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c


Seems I found a patch from 2003 that
did load the policy but segfaulted after that.

should I even bother with this since there are
newer approaches?


-- 
Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: error: too many arguments to function 'security_getenforce'

[Shintaro Fujiwara]

 security_getenforce(&seconfig);

is wrong.

see

[fujiwara@notepc ~]$ cat -n /usr/include/selinux/selinux.h|grep
security_getenforce
   314	extern int security_getenforce(void);


2009/8/13 Justin Mattock <justinmattock@gmail.com>:
> Hello,
> I've spent the past few days trying to
> find a correct patch for sysvinit-2.86 to load
> the policy. but seems to keep hitting errors.
>
> I've made it as far as this:
> gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX  init.c
> init.c: In function 'load_policy':
> init.c:107:3: error: too many arguments to function 'security_getenforce'
> init.c:120:0: warning: "MNT_DETACH" redefined
> /usr/include/sys/mount.h:102:0: note: this is the location of the
> previous definition
> init.c:130:7: warning: too many arguments for format
> init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
> qualifiers from pointer target type
> /usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
> argument is of type 'const char *'
> init.c: In function 're_exec':
> init.c:2040:2: warning: missing sentinel in function call
> make: *** [init.o] Error 1
> make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
>
> seems this is the only error showing up if I use the -i option
> from make.
>
> the patch looks like this:
> (only init.c/Makefile for now until I can get this
> correct)
>
> starting at line 83
>
>                } while(0)
>
> #ifdef WITH_SELINUX
> #include <sys/mman.h>
> #include <selinux/selinux.h>
> #include <sepol/sepol.h>
> #include <sys/mount.h>
>
> /* Mount point for selinuxfs. */
> #define SELINUXMNT "/selinux/"
> int enforcing = -1;            /* SELinux enforcing mode */
>
>
> static int load_policy(int *enforce)
> {
>  int fd=-1,ret=-1;
>  int rc=0, orig_enforce;
>  struct stat sb;
>  void *map;
>  char policy_file[PATH_MAX];
>  int policy_version=0;
>  extern char *selinux_mnt;
>  FILE *cfg;
>  char buf[4096];
>  int seconfig = -2;
>
>  security_getenforce(&seconfig);
>
>  mount("none", "/proc", "proc", 0, 0);
>  cfg = fopen("/proc/cmdline","r");
>  if (cfg) {
>    char *tmp;
>    if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
>      if (tmp == buf || isspace(*(tmp-1))) {
>        enforcing=atoi(tmp+10);
>      }
>    }
>    fclose(cfg);
>  }
> #define MNT_DETACH 2
>  umount2("/proc",MNT_DETACH);
>
>  if (enforcing >=0)
>    *enforce = enforcing;
>  else if (seconfig == 1)
>    *enforce = 1;
>
>  if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
>    if (errno == ENODEV) {
>      printf("SELinux not supported by kernel:
> %s\n",SELINUXMNT,strerror(errno));
>      *enforce = 0;
>    } else {
>      printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
>    }
>    return ret;
>  }
>
>  selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
>
>  policy_version=security_policyvers();
>  if (policy_version < 0) {
>    printf( "Can't get policy version: %s\n", strerror(errno));
>    goto UMOUNT;
>  }
>
>  orig_enforce = rc = security_getenforce();
>  if (rc < 0) {
>    printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
>    goto UMOUNT;
>  }
>  if (enforcing >= 0) {
>    *enforce = enforcing;
>  } else if (seconfig == -1) {
>    *enforce = 0;
>    rc = security_disable();
>    if (rc == 0) umount(SELINUXMNT);
>   if (rc < 0) {
>     rc = security_setenforce(0);
>     if (rc < 0) {
>       printf("Can't disable SELinux: %s\n", strerror(errno));
>       goto UMOUNT;
>      }
>    }
>    ret = 0;
>    goto UMOUNT;
>  } else if (seconfig >= 0) {
>    *enforce = seconfig;
>    if (orig_enforce != *enforce) {
>      rc = security_setenforce(seconfig);
>      if (rc < 0) {
>        printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
>        goto UMOUNT;
>      }
>   }
>  }
>
>  snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
>  fd = open(policy_file, O_RDONLY);
>  if (fd < 0) {
>    /* Check previous version to see if old policy is available
>     */
>    snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
>    fd = open(policy_file, O_RDONLY);
>    if (fd < 0) {
>      printf( "Can't open '%s.%d':  %s\n",
>          selinux_binary_policy_path(),policy_version,strerror(errno));
>      goto UMOUNT;
>    }
>  }
>
>  if (fstat(fd, &sb) < 0) {
>  printf("Can't stat '%s':  %s\n",
>        policy_file, strerror(errno));
>   goto UMOUNT;
>  }
>
>  map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
>  if (map == MAP_FAILED) {
>    printf( "Can't map '%s':  %s\n",
>       policy_file, strerror(errno));
>    goto UMOUNT;
>  }
>
>
>  /* Set booleans based on a booleans configuration file. */
>  ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
>  if (ret < 0) {
>    if (errno == ENOENT || errno == EINVAL) {
>      /* No booleans file or stale booleans in the file; non-fatal. */
>      printf("Warning!  Error while setting booleans:  %s\n"
>          , strerror(errno));
>    } else {
>      printf("Error while setting booleans:  %s\n",
>          strerror(errno));
>      goto UMOUNT;
>    }
>  }
>  printf("Loading security policy\n");
>  ret=security_load_policy(map, sb.st_size);
>  if (ret < 0) {
>    printf("security_load_policy failed\n");
>  }
>
>  UMOUNT:
>  /*umount(SELINUXMNT); */
>  if ( fd >= 0) {
>    close(fd);
>  }
>  return(ret);
> }
> #endif
>
> /* Version information */
>
>
> line 2818
> #ifdef WITH_SELINUX
>       if (getenv("SELINUX_INIT") == NULL) {
>         putenv("SELINUX_INIT=YES");
>         if (load_policy(&enforcing) == 0 ) {
>           execv(myname, argv);
>         } else {
>           if (enforcing > 0) {
>             /* SELinux in enforcing mode but load_policy failed */
>             /* At this point, we probably can't open /dev/console, so
> log() won't work */
>                   fprintf(stderr,"Enforcing mode requested but no
> policy loaded. Halting now.\n");
>             exit(1);
>           }
>         }
>       }
> #endif
>
>
>
> and the Makefile has these in it:
>
> line 12
> CFLAGS  = -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
>
> line 52
>
> ifeq ($(WITH_SELINUX),yes)
>  SELINUX_DEF=-DWITH_SELINUX
>  INIT_SELIBS=-lsepol -lselinux
>  SULOGIN_SELIBS=-lselinux
> else
>  SELINUX_DEF=
>  INIT_SELIBS=
>  SULOGIN_SELIBS=
> endif
>
>
> line 71
> init:           init.o init_utmp.o
>                $(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
>
> line 103
> init.o:         init.c init.h set.h reboot.h initreq.h
>                $(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
>
>
> Seems I found a patch from 2003 that
> did load the policy but segfaulted after that.
>
> should I even bother with this since there are
> newer approaches?
>
>
> --
> Justin P. Mattock
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>



-- 
http://intrajp.no-ip.com/ Home Page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: error: too many arguments to function 'security_getenforce'

[Justin P. Mattock]

Shintaro Fujiwara wrote:
>   security_getenforce(&seconfig);
>
> is wrong.
>
> see
>
> [fujiwara@notepc ~]$ cat -n /usr/include/selinux/selinux.h|grep
> security_getenforce
>     314	extern int security_getenforce(void);
>
>    
Great,

Can you or somebody help me in  finding
a correct patch to load the policy at boot.

I find it hard to believe that such a security policy
  would be lacking  in this area.

Justin P. Mattock



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: error: too many arguments to function 'security_getenforce'

[Daniel J Walsh]

On 08/12/2009 11:30 PM, Justin Mattock wrote:
> Hello,
> I've spent the past few days trying to
> find a correct patch for sysvinit-2.86 to load
> the policy. but seems to keep hitting errors.
> 
> I've made it as far as this:
> gcc -c -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX  init.c
> init.c: In function 'load_policy':
> init.c:107:3: error: too many arguments to function 'security_getenforce'
> init.c:120:0: warning: "MNT_DETACH" redefined
> /usr/include/sys/mount.h:102:0: note: this is the location of the
> previous definition
> init.c:130:7: warning: too many arguments for format
> init.c:206:3: warning: passing argument 3 of 'sepol_genbools' discards
> qualifiers from pointer target type
> /usr/include/sepol/booleans.h:16:12: note: expected 'char *' but
> argument is of type 'const char *'
> init.c: In function 're_exec':
> init.c:2040:2: warning: missing sentinel in function call
> make: *** [init.o] Error 1
> make: Leaving directory `/home/justin/LFS/sysv/sysvinit-2.86/src'
> 
> seems this is the only error showing up if I use the -i option
> from make.
> 
> the patch looks like this:
> (only init.c/Makefile for now until I can get this
> correct)
> 
> starting at line 83
> 
> 		} while(0)
> 
> #ifdef WITH_SELINUX
> #include <sys/mman.h>
> #include <selinux/selinux.h>
> #include <sepol/sepol.h>
> #include <sys/mount.h>
> 
> /* Mount point for selinuxfs. */
> #define SELINUXMNT "/selinux/"
> int enforcing = -1;            /* SELinux enforcing mode */
> 
> 
> static int load_policy(int *enforce)
> {
>   int fd=-1,ret=-1;
>   int rc=0, orig_enforce;
>   struct stat sb;
>   void *map;
>   char policy_file[PATH_MAX];
>   int policy_version=0;
>   extern char *selinux_mnt;
>   FILE *cfg;
>   char buf[4096];
>   int seconfig = -2;
> 
>   security_getenforce(&seconfig);
> 
>   mount("none", "/proc", "proc", 0, 0);
>  cfg = fopen("/proc/cmdline","r");
>   if (cfg) {
>     char *tmp;
>     if (fgets(buf,4096,cfg) && (tmp = strstr(buf,"enforcing="))) {
>       if (tmp == buf || isspace(*(tmp-1))) {
>         enforcing=atoi(tmp+10);
>       }
>     }
>     fclose(cfg);
>   }
> #define MNT_DETACH 2
>   umount2("/proc",MNT_DETACH);
> 
>   if (enforcing >=0)
>     *enforce = enforcing;
>   else if (seconfig == 1)
>     *enforce = 1;
> 
>   if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
>     if (errno == ENODEV) {
>       printf("SELinux not supported by kernel:
> %s\n",SELINUXMNT,strerror(errno));
>       *enforce = 0;
>     } else {
>       printf("Failed to mount %s: %s\n",SELINUXMNT,strerror(errno));
>     }
>     return ret;
>   }
> 
>   selinux_mnt = SELINUXMNT; /* set manually since we mounted it */
> 
>   policy_version=security_policyvers();
>   if (policy_version < 0) {
>     printf( "Can't get policy version: %s\n", strerror(errno));
>     goto UMOUNT;
>   }
> 
>   orig_enforce = rc = security_getenforce();
>   if (rc < 0) {
>     printf( "Can't get SELinux enforcement flag: %s\n", strerror(errno));
>     goto UMOUNT;
>   }
>   if (enforcing >= 0) {
>     *enforce = enforcing;
>   } else if (seconfig == -1) {
>     *enforce = 0;
>     rc = security_disable();
>     if (rc == 0) umount(SELINUXMNT);
>    if (rc < 0) {
>      rc = security_setenforce(0);
>      if (rc < 0) {
>        printf("Can't disable SELinux: %s\n", strerror(errno));
>        goto UMOUNT;
>       }
>     }
>     ret = 0;
>     goto UMOUNT;
>   } else if (seconfig >= 0) {
>     *enforce = seconfig;
>     if (orig_enforce != *enforce) {
>       rc = security_setenforce(seconfig);
>       if (rc < 0) {
>         printf("Can't set SELinux enforcement flag: %s\n", strerror(errno));
>         goto UMOUNT;
>       }
>    }
>   }
> 
>   snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version);
>   fd = open(policy_file, O_RDONLY);
>   if (fd < 0) {
>     /* Check previous version to see if old policy is available
>      */
>     snprintf(policy_file,sizeof(policy_file),"%s.%d",selinux_binary_policy_path(),policy_version-1);
>     fd = open(policy_file, O_RDONLY);
>     if (fd < 0) {
>       printf( "Can't open '%s.%d':  %s\n",
>           selinux_binary_policy_path(),policy_version,strerror(errno));
>       goto UMOUNT;
>     }
>   }
> 
>   if (fstat(fd, &sb) < 0) {
>   printf("Can't stat '%s':  %s\n",
>         policy_file, strerror(errno));
>    goto UMOUNT;
>  }
> 
>   map = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
>   if (map == MAP_FAILED) {
>     printf( "Can't map '%s':  %s\n",
>        policy_file, strerror(errno));
>     goto UMOUNT;
>   }
> 
> 
>   /* Set booleans based on a booleans configuration file. */
>   ret = sepol_genbools(map, sb.st_size, selinux_booleans_path());
>   if (ret < 0) {
>     if (errno == ENOENT || errno == EINVAL) {
>       /* No booleans file or stale booleans in the file; non-fatal. */
>       printf("Warning!  Error while setting booleans:  %s\n"
>           , strerror(errno));
>     } else {
>       printf("Error while setting booleans:  %s\n",
>           strerror(errno));
>       goto UMOUNT;
>     }
>  }
>   printf("Loading security policy\n");
>   ret=security_load_policy(map, sb.st_size);
>   if (ret < 0) {
>     printf("security_load_policy failed\n");
>   }
> 
>  UMOUNT:
>   /*umount(SELINUXMNT); */
>   if ( fd >= 0) {
>     close(fd);
>  }
>   return(ret);
> }
> #endif
> 
> /* Version information */
> 
> 
> line 2818
> #ifdef WITH_SELINUX
>        if (getenv("SELINUX_INIT") == NULL) {
>          putenv("SELINUX_INIT=YES");
>          if (load_policy(&enforcing) == 0 ) {
>            execv(myname, argv);
>          } else {
>            if (enforcing > 0) {
>              /* SELinux in enforcing mode but load_policy failed */
>              /* At this point, we probably can't open /dev/console, so
> log() won't work */
>                    fprintf(stderr,"Enforcing mode requested but no
> policy loaded. Halting now.\n");
>              exit(1);
>            }
>          }
>        }
> #endif
> 
> 
> 
> and the Makefile has these in it:
> 
> line 12
> CFLAGS	= -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE -DWITH_SELINUX
> 
> line 52
> 
> ifeq ($(WITH_SELINUX),yes)
>   SELINUX_DEF=-DWITH_SELINUX
>   INIT_SELIBS=-lsepol -lselinux
>   SULOGIN_SELIBS=-lselinux
> else
>   SELINUX_DEF=
>   INIT_SELIBS=
>   SULOGIN_SELIBS=
> endif
> 
> 
> line 71
> init:		init.o init_utmp.o
> 		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o $(INIT_SELIBS)
> 
> line 103
> init.o:		init.c init.h set.h reboot.h initreq.h
> 		$(CC) -c $(CFLAGS) $(SELINUX_DEF) init.c
> 
> 
> Seems I found a patch from 2003 that
> did load the policy but segfaulted after that.
> 
> should I even bother with this since there are
> newer approaches?
> 
> 
Does

selinux_mkload_policy(1);

Work for you?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: error: too many arguments to function 'security_getenforce'

[Justin P. Mattock]

Daniel J Walsh wrote:
>
> Does
>
> selinux_mkload_policy(1);
>
> Work for you?
>
>    
I clipped part of the message to keep
things clean.

I'm going to be honest, I'm not that yet skilled
in fixing something like this.

with selinux_mkload_policy(1)
were would I put this?

Justin P. Mattock



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: error: too many arguments to function 'security_getenforce'

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 779 bytes --]

On 08/13/2009 02:06 PM, Justin P. Mattock wrote:
> Daniel J Walsh wrote:
>>
>> Does
>>
>> selinux_mkload_policy(1);
>>
>> Work for you?
>>
>>    
> I clipped part of the message to keep
> things clean.
> 
> I'm going to be honest, I'm not that yet skilled
> in fixing something like this.
> 
> with selinux_mkload_policy(1)
> were would I put this?
> 
> Justin P. Mattock
> 
> 
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.

Actually the function you probably want 
selinux_init_load_policy

I attached the patch we used to use for sysvinit, before we moved to loading policy in the initrd.




[-- Attachment #2: sysvinit-selinux.patch --]
[-- Type: text/plain, Size: 2642 bytes --]

--- sysvinit-2.85/src/init.c.selinux	2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/init.c	2005-10-14 14:16:24.000000000 -0400
@@ -48,6 +48,8 @@
 #include <stdarg.h>
 #include <sys/syslog.h>
 #include <sys/time.h>
+#include <selinux/selinux.h>
+
 
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
@@ -2513,6 +2515,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2576,6 +2579,20 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (selinux_init_load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    printf("Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
--- sysvinit-2.85/src/Makefile.selinux	2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/Makefile	2005-10-14 14:16:24.000000000 -0400
@@ -32,7 +32,7 @@
 all:		$(PROGS)
 
 init:		init.o init_utmp.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
 
 halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
 		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -50,7 +50,7 @@
 		$(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:	sulogin.o md5_broken.o md5_crypt_broken.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT)
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ $^ $(LCRYPT) -lselinux
 
 wall:		dowall.o wall.o
 		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
--- sysvinit-2.85/src/sulogin.c.selinux	2005-10-14 14:16:24.000000000 -0400
+++ sysvinit-2.85/src/sulogin.c	2005-10-14 14:18:42.000000000 -0400
@@ -28,7 +28,9 @@
 #  include <crypt.h>
 #endif
 #include "md5.h"
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>

 #define CHECK_DES	1
 #define CHECK_MD5	1
 
@@ -332,6 +335,19 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+	if (is_selinux_enabled > 0) {
+	  security_context_t scon=NULL;
+	  char *seuser=NULL;
+	  char *level=NULL;
+	  if (getseuserbyname("root", &seuser, &level) == 0)
+		  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+			  if (setexeccon(scon) != 0) 
+				  fprintf(stderr, "setexeccon faile\n");
+			  freecon(scon);
+		  }
+		free(seuser);
+		free(level);
+	}
 	execl(sushell, shell, NULL);
 	perror(sushell);
 

Re: error: too many arguments to function 'security_getenforce'

[Justin P. Mattock]

Daniel J Walsh wrote:
> On 08/13/2009 02:06 PM, Justin P. Mattock wrote:
>    
>> Daniel J Walsh wrote:
>>      
>>> Does
>>>
>>> selinux_mkload_policy(1);
>>>
>>> Work for you?
>>>
>>>
>>>        
>> I clipped part of the message to keep
>> things clean.
>>
>> I'm going to be honest, I'm not that yet skilled
>> in fixing something like this.
>>
>> with selinux_mkload_policy(1)
>> were would I put this?
>>
>> Justin P. Mattock
>>
>>
>>
>> -- 
>> This message was distributed to subscribers of the selinux mailing list.
>> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
>> with
>> the words "unsubscribe selinux" without quotes as the message.
>>      
>
> Actually the function you probably want
> selinux_init_load_policy
>
> I attached the patch we used to use for sysvinit, before we moved to loading policy in the initrd.
>
>
>
>    
you are the renaissance man...

finally after racking my brain around this one
init finally loads the policy, of course  with your assistance.

I owe you a nice cold one, just let me know if your
ever in the ventura county area.
(or if I head up to silicon valley just name your location of choice).

Thank you for this.

Justin P. Mattock

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.