shuffle some selinux stuff around. make policy version be dynamic, set

context of running anaconda to be anaconda_t

5 files changed, 135 insertions, 33 deletions

diff --git a/loader2/Makefile b/loader2/Makefile
index 71dbb2bcd..184270dc0 100644
--- a/loader2/Makefile
+++ b/loader2/Makefile
@@ -18,7 +18,7 @@ BINS = loader
 HWOBJS = pcmcia.o usb.o firewire.o hardware.o
 METHOBJS = method.o cdinstall.o hdinstall.o nfsinstall.o urlinstall.o
 OBJS = log.o moduleinfo.o loadermisc.o modules.o moduledeps.o windows.o \
-	lang.o kbd.o modstubs.o driverdisk.o \
+	lang.o kbd.o modstubs.o driverdisk.o selinux.o \
 	md5.o mediacheck.o kickstart.o driverselect.o \
 	$(HWOBJS) $(METHOBJS)
 LOADEROBJS = loader.o loader-pcmcia.o
diff --git a/loader2/loader.c b/loader2/loader.c
index 5009c264f..e70a51607 100644
--- a/loader2/loader.c
+++ b/loader2/loader.c
@@ -74,6 +74,8 @@
 #include "net.h"
 #include "telnetd.h"
 
+#include "selinux.h"
+
 #include "../isys/imount.h"
 #include "../isys/isys.h"
 #include "../isys/stubs.h"
@@ -110,13 +112,6 @@ static int numMethods = sizeof(installMethods) / sizeof(struct installMethod);
 /* JKFIXME: bad hack for second stage modules without module-info */
 struct moduleBallLocation * secondStageModuleLocation;
 
-#if defined(__x86_64__) || defined(__s390x__) || defined(__ppc64__)
-#define LIBPATH "/lib64:/usr/lib64:/usr/X11R6/lib64:/usr/kerberos/lib64:/mnt/usr/lib64:/mnt/sysimage/lib64:/mnt/sysimage/usr/lib64"
-#else
-#define LIBPATH "/lib:/usr/lib:/usr/X11R6/lib:/usr/kerberos/lib:/mnt/usr/lib:/mnt/sysimage/lib:/mnt/sysimage/usr/lib"
-#endif
-
-
 #if 0
 #if !defined(__s390__) && !defined(__s390x__)
 #define RAMDISK_DEVICE "/dev/ram"
@@ -124,7 +119,6 @@ struct moduleBallLocation * secondStageModuleLocation;
 #define RAMDISK_DEVICE "/dev/ram2"
 #endif
 
-
 int setupRamdisk(void) {
     gzFile f;
     static int done = 0;
@@ -1335,32 +1329,13 @@ int main(int argc, char ** argv) {
     /* now load SELinux policy before exec'ing anaconda (unless we've
      * specified not to */
     if (!FL_NOSELINUX(flags)) {
-        char * fn;
-        int pid;
-
-        if (!access("/tmp/updates/policy.15", R_OK))
-            fn = strdup("/tmp/updates/policy.15");
-        else if (!access("/mnt/source/RHupdates/policy.15", R_OK))
-            fn = strdup("/mnt/source/RHupdates/policy.15");
-        else 
-            fn = strdup("/mnt/runtime/etc/security/selinux/policy.15");
-
-        logMessage("Loading SELinux policy from %s", fn);
-        if (!(pid = fork())) {
-            setenv("LD_LIBRARY_PATH", LIBPATH, 1);
-            if (mount("/selinux", "/selinux", "selinuxfs", 0, NULL)) {
-                logMessage("failed to mount /selinux: %s", strerror(errno));
-                exit(1);
-            } else {
-                execl("/usr/sbin/load_policy", 
-                      "/usr/sbin/load_policy", fn, NULL);
-                logMessage("exec of load_policy failed: %s", strerror(errno));
-                exit(1);
+        if (mount("/selinux", "/selinux", "selinuxfs", 0, NULL)) {
+            logMessage("failed to mount /selinux: %s", strerror(errno));
+        } else {
+            if (loadpolicy() == 0) {
+                setexeccon(ANACONDA_CONTEXT);
             }
         }
-
-        waitpid(pid, NULL, 0);
-        free(fn);
     }
 
     logMessage("Running anaconda script %s", *(argptr-1));
diff --git a/loader2/loader.h b/loader2/loader.h
index cd13ecaeb..10b424219 100644
--- a/loader2/loader.h
+++ b/loader2/loader.h
@@ -110,4 +110,12 @@ struct loaderData_s {
 #define INT_TO_POINTER(i)  ((void *) (i))
 #endif
 
+/* library paths */
+#if defined(__x86_64__) || defined(__s390x__) || defined(__ppc64__)
+#define LIBPATH "/lib64:/usr/lib64:/usr/X11R6/lib64:/usr/kerberos/lib64:/mnt/usr/lib64:/mnt/sysimage/lib64:/mnt/sysimage/usr/lib64"
+#else
+#define LIBPATH "/lib:/usr/lib:/usr/X11R6/lib:/usr/kerberos/lib:/mnt/usr/lib:/mnt/sysimage/lib:/mnt/sysimage/usr/lib"
+#endif
+
+
 #endif
diff --git a/loader2/selinux.c b/loader2/selinux.c
new file mode 100644
index 000000000..7f62a1f5e
--- /dev/null
+++ b/loader2/selinux.c
@@ -0,0 +1,110 @@
+/*
+ * selinux.c - Various SELinux related functionality needed for the loader.
+ *
+ * Jeremy Katz <katzj@redhat.com>
+ * 
+ * Copyright 2004 Red Hat, Inc.
+ * Portions extracted from libselinux which was released as public domain
+ *   software by the NSA.
+ *
+ * This software may be freely redistributed under the terms of the GNU
+ * General Public License.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include "loader.h"
+#include "loadermisc.h"
+#include "log.h"
+
+static char * getpolicyver() {
+    int fd;
+    char * buf;
+
+    fd = open("/selinux/policyvers", O_RDONLY);
+    if (fd == -1) {
+        return NULL;
+    }
+
+    buf = malloc(128);
+    if ((read(fd, buf, 128)) == -1) {
+        free(buf);
+        close(fd);
+        return NULL;
+    }
+
+    close(fd);
+    return buf;
+}
+
+int loadpolicy() {
+    char * ver, * fn;
+    char *paths[] = { "/tmp/updates/policy.", 
+                      "/mnt/source/RHupdates/policy.",
+                      "/mnt/runtime/etc/security/selinux/policy.",
+                      NULL };
+    int i, pid, status;
+
+    ver = getpolicyver();
+    if (ver == NULL) {
+        return -1;
+    }
+
+    fn = malloc(128);
+    for (i = 0; paths[i]; i++) {
+        snprintf(fn, 128, "%s%s", (char *) paths[i], ver);
+        if (!access(fn, R_OK)) {
+            break;
+        }
+    }
+
+    if (access(fn, R_OK)) {
+        logMessage("Unable to load suitable SELinux policy");
+        return -1;
+    }
+
+    logMessage("Loading SELinux policy from %s", fn);
+    if (!(pid = fork())) {
+        setenv("LD_LIBRARY_PATH", LIBPATH, 1);
+        execl("/usr/sbin/load_policy", 
+              "/usr/sbin/load_policy", fn, NULL);
+        logMessage("exec of load_policy failed: %s", strerror(errno));
+        exit(1);
+    }
+
+    waitpid(pid, &status, 0);
+    free(fn);
+    if (WIFEXITED(status) && (WEXITSTATUS(status) != 0))
+        return 1;
+
+    return 0;
+}
+
+/* set a context for execution, from libselinux */
+int setexeccon(char * context) {
+    int fd;
+    ssize_t ret;
+    
+    fd = open("/proc/self/attr/exec", O_RDWR);
+    if (fd < 0)
+        return -1;
+    if (context) 
+        ret = write(fd, context, strlen(context)+1);
+    else
+        ret = write(fd, NULL, 0); /* clear */
+    close(fd);
+    if (ret < 0)
+        return -1;
+    else
+        return 0;
+}
diff --git a/loader2/selinux.h b/loader2/selinux.h
new file mode 100644
index 000000000..93c81800b
--- /dev/null
+++ b/loader2/selinux.h
@@ -0,0 +1,9 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+int setexeccon(char * context);
+int loadpolicy();
+
+#define ANACONDA_CONTEXT "system_u:object_r:anaconda_t"
+
+#endif