Description: Load SELinux policy from within init.
Author: Russell Coker <russell@coker.com.au>
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=543420
Index: upstart/configure.ac
===================================================================
--- upstart.orig/configure.ac	2010-06-18 06:27:25.435932103 +0200
+++ upstart/configure.ac	2010-06-18 06:33:04.251932688 +0200
@@ -31,6 +31,15 @@
 PKG_CHECK_MODULES([NIH_DBUS], [libnih-dbus >= 1.0.0])
 PKG_CHECK_MODULES([DBUS], [dbus-1 >= 1.2.16])
 
+AC_ARG_ENABLE(selinux,
+	      AS_HELP_STRING([--enable-selinux], [enable SELinux support]),
+	      [], [enable_selinux=no])
+
+if test "x$enable_selinux" = "xyes" ; then
+	PKG_CHECK_MODULES(SELINUX, [libselinux])
+	AC_DEFINE(HAVE_SELINUX, 1, [Define if we have SELinux])
+fi
+
 # Checks for header files.
 AC_CHECK_HEADERS([valgrind/valgrind.h])
 
Index: upstart/init/Makefile.am
===================================================================
--- upstart.orig/init/Makefile.am	2010-06-18 06:27:25.411927649 +0200
+++ upstart/init/Makefile.am	2010-06-18 06:33:04.251932688 +0200
@@ -5,7 +5,8 @@
 AM_CFLAGS = \
 	$(NIH_CFLAGS) \
 	$(NIH_DBUS_CFLAGS) \
-	$(DBUS_CFLAGS)
+	$(DBUS_CFLAGS) \
+	$(SELINUX_CFLAGS)
 
 AM_CPPFLAGS = \
 	-DLOCALEDIR="\"$(localedir)\"" \
@@ -60,6 +61,7 @@
 	$(NIH_LIBS) \
 	$(NIH_DBUS_LIBS) \
 	$(DBUS_LIBS) \
+	$(SELINUX_LIBS) \
 	-lrt
 
 
Index: upstart/init/main.c
===================================================================
--- upstart.orig/init/main.c	2010-06-18 06:27:25.423930854 +0200
+++ upstart/init/main.c	2010-06-18 06:33:41.583934453 +0200
@@ -21,7 +21,6 @@
 # include <config.h>
 #endif /* HAVE_CONFIG_H */
 
-
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/wait.h>
@@ -37,6 +36,10 @@
 #include <syslog.h>
 #include <unistd.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include <linux/kd.h>
 
 #include <nih/macros.h>
@@ -108,6 +111,25 @@
 {
 	char **args;
 	int    ret;
+	int    enforce = 0;
+
+#ifdef HAVE_SELINUX
+	if (getenv ("SELINUX_INIT") == NULL) {
+		putenv ("SELINUX_INIT=YES");
+		if (selinux_init_load_policy (&enforce) == 0 ) {
+			execv (argv[0], argv);
+		} else {
+			if (enforce > 0) {
+				/* SELinux in enforcing mode but load_policy
+				 * failed. At this point, we probably can't
+				 * open /dev/console, so log() won't work.
+				 */
+				fprintf (stderr, "Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+				exit (1);
+			}
+		}
+	}
+#endif /* HAVE_SELINUX */
 
 	argv0 = argv[0];
 	nih_main_init (argv0);