openrc-init: add SELinux support

This is for #173.
author: William Hubbs <w.d.hubbs@gmail.com> 2018-11-02 18:22:11 -0500
committer: William Hubbs <w.d.hubbs@gmail.com> 2018-11-02 18:22:11 -0500
commit: ee3c4afdb75b98cd472b7ffbb46adc9d8a1e1b15 (patch)
tree: eff5a6eca43369fb8f37d29cb146d7c2b3b854dc /src
parent: e2416d089396e2b9a72cc56ef9f57886ffb0f1c8 (diff)
1 files changed, 30 insertions, 0 deletions
diff --git a/src/rc/openrc-init.c b/src/rc/openrc-init.c
index e557c63d..c57a3b06 100644
--- a/src/rc/openrc-init.c
+++ b/src/rc/openrc-init.c
@@ -31,6 +31,10 @@
 #include <sys/reboot.h>
 #include <sys/wait.h>
 
+#ifdef HAVE_SELINUX
+#  include <selinux/selinux.h>
+#endif
+
 #include "helpers.h"
 #include "rc.h"
 #include "rc-wtmp.h"
@@ -161,10 +165,36 @@ int main(int argc, char **argv)
 	bool reexec = false;
 	sigset_t signals;
 	struct sigaction sa;
+#ifdef HAVE_SELINUX
+	int			enforce = 0;
+#endif
 
 	if (getpid() != 1)
 		return 1;
 
+#ifdef HAVE_SELINUX
+	if (getenv("SELINUX_INIT") == NULL) {
+		if (is_selinux_enabled() != 1) {
+			if (selinux_init_load_policy(&enforce) == 0) {
+				putenv("SELINUX_INIT=YES");
+				execv(argv[0], argv);
+			} else {
+				if (enforce > 0) {
+					/*
+					 * SELinux in enforcing mode but load_policy failed
+					 * At this point, we probably can't open /dev/console,
+					 * so log() won't work
+					 */
+					fprintf(stderr,"Unable to load SELinux Policy.\n");
+					fprintf(stderr,"Machine is  in enforcing mode.\n");
+					fprintf(stderr,"Halting now.\n");
+					exit(1);
+				}
+			}
+		}
+	}
+#endif  
+
 	printf("OpenRC init version %s starting\n", VERSION);
 
 	if (argc > 1)
author	William Hubbs <w.d.hubbs@gmail.com>	2018-11-02 18:22:11 -0500
committer	William Hubbs <w.d.hubbs@gmail.com>	2018-11-02 18:22:11 -0500
commit	ee3c4afdb75b98cd472b7ffbb46adc9d8a1e1b15 (patch)
tree	eff5a6eca43369fb8f37d29cb146d7c2b3b854dc /src
parent	e2416d089396e2b9a72cc56ef9f57886ffb0f1c8 (diff)