[Selinux-commits] SF.net SVN: selinux: [2692] trunk/policycoreutils

[<mad...@us...>]

Revision: 2692
          http://selinux.svn.sourceforge.net/selinux/?rev=2692&view=rev
Author:   madmethod
Date:     2007-11-29 08:15:26 -0800 (Thu, 29 Nov 2007)

Log Message:
-----------
Author: Chad Sellers
Email: cse...@tr...
Subject: Initial policy load from load_policy
Date: Tue, 13 Nov 2007 14:24:49 -0500

Updated to include error message on loading failure in enforcing mode.

The below patch adds a -i option to load_policy to perform the initial 
policy load. The inital policy load is currently done in systems using 
sysvinit by init itself, which then re-exec's itself. Ubuntu uses 
upstart instead of sysvinit. In talks with the Ubuntu folks, they'd 
prefer to load policy from initramfs before upstart starts rather than 
patching upstart.

Signed-off-by: Chad Sellers <cse...@tr...>

Acked-By: Joshua Brindle <me...@ma...>

Modified Paths:
--------------
    trunk/policycoreutils/ChangeLog
    trunk/policycoreutils/VERSION
    trunk/policycoreutils/load_policy/load_policy.8
    trunk/policycoreutils/load_policy/load_policy.c

Modified: trunk/policycoreutils/ChangeLog
===================================================================
--- trunk/policycoreutils/ChangeLog	2007-11-29 15:46:57 UTC (rev 2691)
+++ trunk/policycoreutils/ChangeLog	2007-11-29 16:15:26 UTC (rev 2692)
@@ -1,3 +1,6 @@
+2.0.32 2007-10-16
+	* load_policy initial load option from Chad Sellers.
+
 2.0.31 2007-10-15
 	* Fix semodule option handling from Dan Walsh.
 

Modified: trunk/policycoreutils/VERSION
===================================================================
--- trunk/policycoreutils/VERSION	2007-11-29 15:46:57 UTC (rev 2691)
+++ trunk/policycoreutils/VERSION	2007-11-29 16:15:26 UTC (rev 2692)
@@ -1 +1 @@
-2.0.31
+2.0.32

Modified: trunk/policycoreutils/load_policy/load_policy.8
===================================================================
--- trunk/policycoreutils/load_policy/load_policy.8	2007-11-29 15:46:57 UTC (rev 2691)
+++ trunk/policycoreutils/load_policy/load_policy.8	2007-11-29 16:15:26 UTC (rev 2692)
@@ -4,7 +4,7 @@
 
 .SH SYNOPSIS
 .B load_policy 
-[-q]
+[-qi]
 .br
 .SH DESCRIPTION
 .PP
@@ -17,7 +17,23 @@
 .TP
 .B \-q
 suppress warning messages.
+.TP
+.B \-i
+inital policy load. Only use this if this is the first time policy is being loaded since boot (usually called from initramfs).
 
+.SH "EXIT STATUS"
+.TP
+.B 0
+Success
+.TP
+.B 1
+Invalid option
+.TP
+.B 2
+Policy load failed
+.TP
+.B 3
+Initial policy load failed and enforcing mode requested
 .SH SEE ALSO
 .B booleans
 (8),

Modified: trunk/policycoreutils/load_policy/load_policy.c
===================================================================
--- trunk/policycoreutils/load_policy/load_policy.c	2007-11-29 15:46:57 UTC (rev 2691)
+++ trunk/policycoreutils/load_policy/load_policy.c	2007-11-29 16:15:26 UTC (rev 2692)
@@ -19,13 +19,13 @@
 
 void usage(char *progname)
 {
-	fprintf(stderr, _("usage:  %s [-q]\n"), progname);
+	fprintf(stderr, _("usage:  %s [-qi]\n"), progname);
 	exit(1);
 }
 
 int main(int argc, char **argv)
 {
-	int ret, opt, quiet = 0, nargs;
+	int ret, opt, quiet = 0, nargs, init=0, enforce=0;
 
 #ifdef USE_NLS
 	setlocale(LC_ALL, "");
@@ -33,7 +33,7 @@
 	textdomain(PACKAGE);
 #endif
 
-	while ((opt = getopt(argc, argv, "bq")) > 0) {
+	while ((opt = getopt(argc, argv, "bqi")) > 0) {
 		switch (opt) {
 		case 'b':
 			fprintf(stderr, "%s:  Warning! The -b option is no longer supported, booleans are always preserved across reloads.  Continuing...\n",
@@ -43,6 +43,9 @@
 			quiet = 1;
 			sepol_debug(0);
 			break;
+		case 'i':
+			init = 1;
+			break;
 		default:
 			usage(argv[0]);
 		}
@@ -61,8 +64,28 @@
 			"%s:  Warning!  Boolean file argument (%s) is no longer supported, installed booleans file is always used.  Continuing...\n",
 			argv[0], argv[optind++]);
 	}
-
-	ret = selinux_mkload_policy(1);
+	if (init) {
+		if (is_selinux_enabled() == 1) {
+			/* SELinux is already enabled, we should not do an initial load again */
+			fprintf(stderr,
+					_("%s:  Policy is already loaded and initial load requested\n"),
+					argv[0]);
+			exit(2);
+		}
+		ret = selinux_init_load_policy(&enforce);
+		if (ret != 0 ) {
+			if (enforce > 0) {
+				/* SELinux in enforcing mode but load_policy failed */
+				fprintf(stderr,
+						_("%s:  Can't load policy and enforcing mode requested:  %s\n"),
+						argv[0], strerror(errno));
+				exit(3);
+			}
+		}
+	}
+	else {
+		ret = selinux_mkload_policy(1);
+	}
 	if (ret < 0) {
 		fprintf(stderr, _("%s:  Can't load policy:  %s\n"),
 			argv[0], strerror(errno));


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.