upstart

Merge lp:~jpds/upstart/selinux-support into lp:upstart

  1. selinux-support
  2. Merge into trunk
Proposed by Jonathan Davies
Status: Rejected
Rejected by: Steve Langasek
Proposed branch: lp:~jpds/upstart/selinux-support
Merge into: lp:upstart
Diff against target: 81 lines (+35/-1)
3 files modified
configure.ac (+9/-0)
init/Makefile.am (+3/-1)
init/main.c (+23/-0)
To merge this branch: bzr merge lp:~jpds/upstart/selinux-support
Reviewer Review Type Date Requested Status
Steve Langasek Disapprove
Review via email: mp+193679@code.launchpad.net

Description of the change

Adds SELinux support to Upstart using the patch that exists in Debian.

To post a comment you must log in.
lp:~jpds/upstart/selinux-support updated
1548. By Jonathan Davies

Incorporated SELinux support patch from Russell Coker from bug #595774.

1549. By Jonathan Davies

configure.ac: Added --enable-selinux option.

1550. By Jonathan Davies

init/Makefile.am: Added SELinux flags and libraries for init binary.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

These patches are also in the Ubuntu Upstart package.

Checking https://launchpad.net/~contributor-agreement-canonical/+members it doesn't look like Russell has completed CLA at http://www.canonical.com/contributors yet. Has this been completed now by him?

Revision history for this message
Jonathan Davies (jpds) wrote :

> These patches are also in the Ubuntu Upstart package.

Then, we really should be building the package with --enable-selinux (as we do for ls and everything else)...

> Checking https://launchpad.net/~contributor-agreement-canonical/+members it doesn't
> look like Russell has completed CLA at http://www.canonical.com/contributors yet.
> Has this been completed now by him?

The patch is from 2009 and included in Debian and Ubuntu as is. I say we just commit this into trunk and move on.

Revision history for this message
Steve Langasek (vorlon) wrote :

> The patch is from 2009 and included in Debian and Ubuntu as is. I say we just
> commit this into trunk and move on.

Not how it works. The CLA policy doesn't cease to apply just because a patch is old.

review: Disapprove

Unmerged revisions

1550. By Jonathan Davies

init/Makefile.am: Added SELinux flags and libraries for init binary.

1549. By Jonathan Davies

configure.ac: Added --enable-selinux option.

1548. By Jonathan Davies

Incorporated SELinux support patch from Russell Coker from bug #595774.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'configure.ac'
2--- configure.ac 2013-09-12 23:44:17 +0000
3+++ configure.ac 2013-11-02 16:26:24 +0000
4@@ -34,6 +34,15 @@
5 PKG_CHECK_MODULES([UDEV], [libudev >= 146], [have_udev=yes], [have_udev=no])
6 PKG_CHECK_MODULES([DCONF], [dconf >= 0.14], [have_dconf=yes], [have_dconf=no])
7
8+AC_ARG_ENABLE(selinux,
9+ AS_HELP_STRING([--enable-selinux], [enable SELinux support]),
10+ [], [enable_selinux=no])
11+
12+if test "x$enable_selinux" = "xyes" ; then
13+ PKG_CHECK_MODULES(SELINUX, [libselinux])
14+ AC_DEFINE(HAVE_SELINUX, 1, [Define if we have SELinux])
15+fi
16+
17 AC_ARG_ENABLE([udev-bridge],
18 AS_HELP_STRING([--disable-udev-bridge],
19 [Disable building of upstart-udev-bridge even if required dependencies available]),
20
21=== modified file 'init/Makefile.am'
22--- init/Makefile.am 2013-08-23 09:22:32 +0000
23+++ init/Makefile.am 2013-11-02 16:26:24 +0000
24@@ -8,7 +8,8 @@
25 $(NIH_CFLAGS) \
26 $(NIH_DBUS_CFLAGS) \
27 $(DBUS_CFLAGS) \
28- $(JSON_CFLAGS)
29+ $(JSON_CFLAGS) \
30+ $(SELINUX_CFLAGS)
31
32 AM_CPPFLAGS = \
33 -DLOCALEDIR="\"$(localedir)\"" \
34@@ -71,6 +72,7 @@
35 $(NIH_DBUS_LIBS) \
36 $(DBUS_LIBS) \
37 $(JSON_LIBS) \
38+ $(SELINUX_LIBS) \
39 -lrt
40
41
42
43=== modified file 'init/main.c'
44--- init/main.c 2013-07-31 09:28:48 +0000
45+++ init/main.c 2013-11-02 16:26:24 +0000
46@@ -46,6 +46,10 @@
47 #include <syslog.h>
48 #include <unistd.h>
49
50+#ifdef HAVE_SELINUX
51+#include <selinux/selinux.h>
52+#endif
53+
54 #include <linux/kd.h>
55
56 #include <nih/macros.h>
57@@ -190,6 +194,25 @@
58 {
59 char **args = NULL;
60 int ret;
61+ int enforce = 0;
62+
63+#ifdef HAVE_SELINUX
64+ if (getenv ("SELINUX_INIT") == NULL) {
65+ putenv ("SELINUX_INIT=YES");
66+ if (selinux_init_load_policy (&enforce) == 0 ) {
67+ execv (argv[0], argv);
68+ } else {
69+ if (enforce > 0) {
70+ /* SELinux in enforcing mode but load_policy
71+ * failed. At this point, we probably can't
72+ * open /dev/console, so log() won't work.
73+ */
74+ fprintf (stderr, "Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
75+ exit (1);
76+ }
77+ }
78+ }
79+#endif /* HAVE_SELINUX */
80
81 conf_dirs = NIH_MUST (nih_str_array_new (NULL));
82

Subscribers

People subscribed via source and target branches