init: optionally load the system SELinux policy

BUILD

@@ -180,6 +180,8 @@ DEFAULT_STOP_TIMEOUT=XXX
     this, its process group is sent a SIGKILL signal which should cause it to terminate immediately.
     The default if unspecified is 10 seconds. (The value can be overridden for individual services
     via the service description).
+SUPPORT_SELINUX=1|0
+    Whether to build support for loading the system SELinux policy at boot.
 SUPPORT_CGROUPS=1|0
     Whether to include support for cgroups (Linux only).
 SUPPORT_CAPABILITIES=1|0

BUILD_MESON

@@ -167,6 +167,10 @@ Custom options:
  build-shutdown            : Whether to build the shutdown/reboot/halt utilities.
                              Available values : enabled, disabled, auto
                              Default value : auto
+
+ support-selinux           : Enable SELinux support.
+                             Available values : enabled, disabled, auto
+                             Default value : auto
 
 
 Running the test suite

CONTRIBUTORS

@@ -17,3 +17,4 @@ The following people (in alphabetical order) have contributed:
  * Oliver Amann - Code, testing, documentation
  * Locria Cyber - Code, documentation
  * q66 - Code, testing, documentation.
+ * Rahul Sandhu - Code

build/Makefile

@@ -19,7 +19,8 @@ includes/mconfig.h: ../mconfig tools/mconfig-gen.cc version.conf
 		$(if $(SUPPORT_IOPRIO),SUPPORT_IOPRIO=$(SUPPORT_IOPRIO),) \
 		$(if $(SUPPORT_OOM_ADJ),SUPPORT_OOM_ADJ=$(SUPPORT_OOM_ADJ),) \
 		$(if $(USE_UTMPX),USE_UTMPX=$(USE_UTMPX),) \
-		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) > includes/mconfig.h
+		$(if $(USE_INITGROUPS),USE_INITGROUPS=$(USE_INITGROUPS),) \
+		$(if $(SUPPORT_SELINUX),SUPPORT_SELINUX=$(SUPPORT_SELINUX),) > includes/mconfig.h
 
 clean:
 	rm -f includes/mconfig.h

build/mconfig.mesontemplate

@@ -8,6 +8,7 @@
 #mesondefine USE_UTMPX
 #mesondefine USE_INITGROUPS
 #mesondefine SUPPORT_CGROUPS
+#mesondefine SUPPORT_SELINUX
 #mesondefine SUPPORT_CAPABILITIES
 #mesondefine SUPPORT_IOPRIO
 #mesondefine SUPPORT_OOM_ADJ

build/tools/mconfig-gen.cc

@@ -89,6 +89,9 @@ int main(int argc, char **argv)
     if (vars.find("DEFAULT_AUTO_RESTART") != vars.end()) {
         cout << "#define DEFAULT_AUTO_RESTART " << vars["DEFAULT_AUTO_RESTART"] << "\n";
     }
+    if (vars.find("SUPPORT_SELINUX") != vars.end()) {
+        cout << "#define SUPPORT_SELINUX " << vars["SUPPORT_SELINUX"] << "\n";
+    }
 
     cout << "\n// Constants\n";
     cout << "\nconstexpr static char DINIT_VERSION[] = " << stringify(vars["VERSION"]) << ";\n";

configure

@@ -213,6 +213,8 @@ Optional options:
   --enable-initgroups               Enable initialization of supplementary groups for run-as
                                     [Enabled]
   --disable-initgroups              Disable initialization of supplementary groups for run-as
+  --enable-selinux                  Enable SELinux support [Disabled]
+  --disable-selinux                 Disable SELinux support
   --enable-auto-restart             Enable auto-restart for services by default (Deprecated;
                                     use --default-auto-restart=...)
   --disable-auto-restart            Disable auto-restart for services by default (Deprecated;
@@ -283,6 +285,7 @@ for var in PREFIX \
            SUPPORT_OOM_ADJ \
            USE_UTMPX \
            USE_INITGROUPS \
+           SUPPORT_SELINUX \
            SYSCONTROLSOCKET \
            STRIPOPTS
 do
@@ -324,6 +327,8 @@ for arg in "$@"; do
         --disable-initgroups|--enable-initgroups=no) USE_INITGROUPS=0 ;;
         --enable-auto-restart|--enable-auto-restart=yes) DEFAULT_AUTO_RESTART=ALWAYS ;; # Deprecated
         --disable-auto-restart|--enable-auto-restart=no) DEFAULT_AUTO_RESTART=NEVER ;; # Deprecated
+        --enable-selinux|--enable-selinux=yes) SUPPORT_SELINUX=1 ;;
+        --disable-selinux|--enable-selinux=no) SUPPORT_SELINUX=0 ;;
         --enable-strip|--enable-strip=yes) STRIPOPTS="-s" ;;
         --disable-strip|--enable-strip=no) STRIPOPTS="" ;;
         --default-auto-restart=never) DEFAULT_AUTO_RESTART=NEVER ;;
@@ -355,6 +360,7 @@ done
 : "${DEFAULT_START_TIMEOUT:="60"}"
 : "${DEFAULT_STOP_TIMEOUT:="10"}"
 : "${USE_INITGROUPS:="1"}"
+: "${SUPPORT_SELINUX:="0"}"
 if [ "$PLATFORM" = "Linux" ]; then
     : "${BUILD_SHUTDOWN:="yes"}"
     : "${SUPPORT_CGROUPS:="1"}"
@@ -477,6 +483,9 @@ fi
 if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$PLATFORM" = FreeBSD ]; then
     try_ld_argument LDFLAGS_BASE -lrt
 fi
+if [ "$AUTO_LDFLAGS_BASE" = true ] && [ "$SUPPORT_SELINUX" = "1" ]; then
+    try_ld_argument LDFLAGS_BASE -lselinux
+fi
 if [ "$SUPPORT_CAPABILITIES" != 0 ]; then
     if [ "$AUTO_LDFLAGS_LIBCAP" = true ]; then
         try_ld_argument LDFLAGS_LIBCAP -lcap
@@ -587,6 +596,7 @@ LDFLAGS_LIBCAP=$LDFLAGS_LIBCAP
 # Feature settings
 SUPPORT_CGROUPS=$SUPPORT_CGROUPS
 USE_INITGROUPS=$USE_INITGROUPS
+SUPPORT_SELINUX=$SUPPORT_SELINUX
 SUPPORT_CAPABILITIES=$SUPPORT_CAPABILITIES
 SUPPORT_IOPRIO=$SUPPORT_IOPRIO
 SUPPORT_OOM_ADJ=$SUPPORT_OOM_ADJ

doc/linux/SELINUX.md

@@ -0,0 +1,46 @@
+# Dinit SELinux Awareness
+
+Dinit has support for basic SELinux awareness. This document is intended to
+outline the extent and inner workings of dinit's SELinux awareness. The reader
+is assumed to be knowledgeable about the basics of SELinux and dinit.
+
+Dinit needs to be built with SELinux support to enable any of the features that
+are mentioned in this document.
+
+## Loading the system SELinux policy
+When booted as the system init system, dinit by default will attempt to load the
+system's SELinux policy and transition itself to a context specified by that policy
+if not already done so in earlier boot (e.g. by an initramfs). This behaviour may be
+disabled by passing dinit the `--disable-selinux-policy` flag. As dinit will always
+be PID1 in this senario, this can be done by appending the flag to the kernel cmdline.
+
+If not already mounted in earlier boot (e.g. by an initramfs), dinit will mount `/sys`,
+and selinuxfs (typically `/sys/fs/selinux`) during the call to `selinux_init_load_policy(3)`.
+
+The following flowchart provides an overview of the process of loading the policy:
+```mermaid
+flowchart TD
+    A[Start] --> B{"Is dinit running as the init system (PID1)?"}
+    B -->|Yes| C{Have we been requested to not load the SELinux policy?}
+    B -->|No| D[Continue rest of dinit initialization]
+    C -->|Yes| D
+    C -->|No| E[Is the SELinux policy already loaded?]
+    E -->|Yes| D
+    E --> |No| F{Is /proc mounted?}
+    F --> |Yes| J
+    F --> |No| G[Attempt to mount /proc]
+    G --> H{Could we successfully mount /proc?}
+    H --> |Yes| J
+    H -->|No| I[Error exit early]
+    J[Attempt to load the SELinux policy]
+    J --> K{Did the SELinux policy load succeed?}
+    K -->|Yes| L[Attempt to calculate our new context and transition]
+    K -->|No| I
+    L --> M{Did we successfully transition?}
+    M -->|Yes| O{Did we mount /proc?}
+    M -->|No| N[Log an error to stderr]
+    N --> O
+    O -->|Yes| P[Unmount /proc]
+    O -->|No| D
+    P --> D
+```

doc/manpages/dinit.8.m4

@@ -113,6 +113,10 @@ If service description settings contain relative cgroup paths, they will be reso
 this path.
 This option is only available if \fBdinit\fR is built with cgroups support.
 .TP
+\fB\-\-disable\-selinux\-policy\fR
+Disable loading of the system SELinux policy.
+This option is only available if \fBdinit\fR is built with SELinux support.
+.TP
 \fB\-\-help\fR
 Display brief help text and then exit.
 .TP
@@ -298,6 +302,16 @@ There are several ways to work around this.
 Service names following the \fB\-\-container\fR (\fB\-o\fR) or \fB\-\-system\-mgr\fR (\fB\-m\fR) options are not ignored.
 Also, the \fB\-\-service\fR (\fB\-t\fR) option can be used to force a service name to be recognised regardless of operating mode.
 .\"
+.SH SELINUX SUPPORT
+.LP
+When running as PID 1 on a SELinux enabled machine, \fBdinit\fR will by default load the system's SELinux policy.
+This behaviour can be disabled by passing \fB\-\-disable\-selinux\-policy\fR to dinit through the kernel cmdline.
+.LP
+When loading the SELinux policy, dinit will automatically mount a few special filesystems needed to successfully load the policy.
+\fBsysfs\fR will be mounted at \fB/sys\fR, and \fBselinuxfs\fR will be mounted at \fB/sys/fs/selinux\fR.
+\fBdinit\fR will not unmount either.
+\fBprocfs\fR will also be mounted at \fB/proc\fR, but \fBdinit\fR will unmount it when done with it.
+.\"
 .SH FILES
 .\"
 .TP

meson.build

@@ -36,6 +36,7 @@ support_ioprio = get_option('support-ioprio')
 support_oom_adj = get_option('support-oom-adj')
 use_utmpx = get_option('use-utmpx')
 use_initgroups = get_option('use-initgroups')
+support_selinux = get_option('support-selinux')
 default_auto_restart = get_option('default-auto-restart')
 default_start_timeout = get_option('default-start-timeout').to_string()
 default_stop_timeout = get_option('default-stop-timeout').to_string()
@@ -61,6 +62,7 @@ endif
 
 ## Dependencies
 libcap_dep = dependency('libcap', required: support_capabilities)
+libselinux_dep = dependency('libselinux', version : '>= 2.1.9', required : support_selinux)
 
 ## Prepare mconfig.h
 mconfig_data.set_quoted('DINIT_VERSION', version)
@@ -71,6 +73,7 @@ mconfig_data.set('DEFAULT_AUTO_RESTART', default_auto_restart)
 mconfig_data.set('DEFAULT_START_TIMEOUT', default_start_timeout)
 mconfig_data.set('DEFAULT_STOP_TIMEOUT', default_stop_timeout)
 mconfig_data.set10('USE_INITGROUPS', use_initgroups)
+mconfig_data.set10('SUPPORT_SELINUX', libselinux_dep.found() or support_selinux.enabled())
 mconfig_data.set10('SUPPORT_CGROUPS', support_cgroups.auto() and platform == 'linux' or support_cgroups.enabled())
 mconfig_data.set10('SUPPORT_CAPABILITIES', libcap_dep.found() and not support_capabilities.disabled())
 mconfig_data.set10('SUPPORT_IOPRIO', support_ioprio.auto() and platform == 'linux' or support_ioprio.enabled())

meson_options.txt

@@ -109,3 +109,9 @@ option(
     value : 'auto',
     description : 'Building shutdown/reboot/soft-reboot/halt or not.'
 )
+option(
+    'support-selinux',
+    type : 'feature',
+    value : 'auto',
+    description : 'SELinux support'
+)