init: optionally load the system SELinux policy

davmac314 · Oct 15, 2024 · 9e7b440 · 9e7b440
1 parent e7ad5b1
commit 9e7b440
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 2 deletions.
diff --git a/CONTRIBUTORS b/CONTRIBUTORS
@@ -16,3 +16,4 @@ The following people (in alphabetical order) have contributed:
  * Oliver Amann - Code, testing, documentation
  * Locria Cyber - Code, documentation
  * q66 - Code, testing, documentation.
+ * Rahul Sandhu - Code
diff --git a/build/mconfig.mesontemplate b/build/mconfig.mesontemplate
@@ -8,6 +8,7 @@
 #mesondefine USE_UTMPX
 #mesondefine USE_INITGROUPS
 #mesondefine SUPPORT_CGROUPS
+#mesondefine SUPPORT_SELINUX
 #mesondefine DEFAULT_AUTO_RESTART
 #mesondefine DEFAULT_START_TIMEOUT
 #mesondefine DEFAULT_STOP_TIMEOUT

diff --git a/configure b/configure
@@ -152,6 +152,7 @@ Optional options:
   --disable-utmpx                   Disable manipulating the utmp/utmpx database via the related POSIX functions
   --enable-initgroups               Enable initialization of supplementary groups for run-as [Enabled]
   --disable-initgroups              Disable initialization of supplementary groups for run-as
+  --enable-selinux                  Enable SELinux support [Enabled only on Linux based systems]
   --enable-auto-restart             Enable auto-restart for services by default [Deprecated]
   --disable-auto-restart            Disable auto-restart for services by default [Deprecated]
   --default-start-timeout=sec       Default start-timeout for services [60]
@@ -243,6 +244,7 @@ for arg in "$@"; do
         --disable-utmpx|--enable-utmpx=no) USE_UTMPX=0 ;;
         --enable-initgroups|--enable-initgroups=yes) USE_INITGROUPS=1 ;;
         --disable-initgroups|--enable-initgroups=no) USE_INITGROUPS=0 ;;
+        --enable-selinux|--enable-selinux=yes) SUPPORT_SELINUX=1 ;;
         --enable-auto-restart|--enable-auto-restart=yes) DEFAULT_AUTO_RESTART=ALWAYS ;; # Deprecated
         --disable-auto-restart|--enable-auto-restart=no) DEFAULT_AUTO_RESTART=NEVER ;; # Deprecated
         --enable-strip|--enable-strip=yes) STRIPOPTS="-s" ;;

diff --git a/meson.build b/meson.build
@@ -33,6 +33,7 @@ man_pages = get_option('man-pages')
 support_cgroups = get_option('support-cgroups')
 use_utmpx = get_option('use-utmpx')
 use_initgroups = get_option('use-initgroups')
+libselinux = dependency('libselinux', version : '>= 2.1.9', required : get_option('selinux'))
 default_auto_restart = get_option('default-auto-restart')
 default_start_timeout = get_option('default-start-timeout').to_string()
 default_stop_timeout = get_option('default-stop-timeout').to_string()
@@ -65,6 +66,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
+mconfig_data.set10('SUPPORT_SELINUX', libselinux.found())
 if support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled()
     mconfig_data.set('SUPPORT_CGROUPS', '1') 
 endif

diff --git a/meson_options.txt b/meson_options.txt
@@ -91,3 +91,9 @@ option(
     value : 'auto',
     description : 'Building shutdown/reboot/soft-reboot/halt or not.'
 )
+option(
+    'selinux',
+    type : 'feature',
+    value : 'auto',
+    description : 'SELinux support'
+)
diff --git a/src/dinit.cc b/src/dinit.cc
@@ -37,6 +37,10 @@
 
 #include "mconfig.h"
 
+#if SUPPORT_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 /*
  * When running as the system init process, Dinit processes the following signals:
  *
@@ -460,7 +464,27 @@ int dinit_main(int argc, char **argv)
 
     am_system_mgr = (getpid() == 1);
     am_system_init = (getuid() == 0);
-
+
+#if SUPPORT_SELINUX
+    int enforce = 0;
+    if (getenv("SELINUX_INIT") == NULL && am_system_mgr && am_system_init) {
+        if (is_selinux_enabled() != 1) {
+            if (selinux_init_load_policy(&enforce) == 0) {
+                setenv("SELINUX_INIT", "YES", 1);
+                // Once the selinux policy has loaded, we should reexec ourself so we get assigned the
+                // right context.
+                execv(argv[0], argv);
+            } else {
+                if (enforce > 0) {
+                    fprintf(stderr, "Failed to load SELinux policy.\n");
+                    // error exit
+                    return 1;
+                }
+            }
+        }
+    }
+#endif
+
     struct options opts;
 
     // if we are PID 1 and user id 0, we are *most probably* the system init. (Or on linux at least, we

diff --git a/src/meson.build b/src/meson.build
@@ -21,6 +21,12 @@ dinit_source_files = [
     'dinit-env.cc',
     'settings.cc'
 ]
+dinit_dependencies = []
+
+if libselinux.found()
+    dinit_dependencies += libselinux
+endif
+
 
 ## src/'s Defines
 shutdown_built = false
@@ -40,7 +46,8 @@ endif
 executable(
     'dinit',
     dinit_source_files,
-    kwargs: misc_args
+    kwargs: misc_args,
+    dependencies: dinit_dependencies
 )
 executable(
     'dinitctl',