This is a multi-part message in MIME format.
Rewritten patch.
Dan
--- udev-030/udev-add.c.selinux 2004-08-25 16:47:52.000000000 -0400
+++ udev-030/udev-add.c 2004-08-26 07:59:42.007575846 -0400
@@ -50,6 +50,11 @@
#define LOCAL_USER "$local"
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+static int selinux_enabled=-1;
+#endif
+
/*
* Right now the major/minor of a device is stored in a file called
* "dev" in sysfs.
@@ -92,7 +97,25 @@
break;
*pos = 0x00;
if (stat(p, &stats)) {
+#ifdef WITH_SELINUX
+ if (selinux_enabled) {
+ int seretval = 0;
+ security_context_t scontext=NULL;
+ seretval = matchpathcon(p, S_IFDIR, &scontext);
+ if (seretval < 0) {
+ dbg("matchpathcon(%s) failed\n", p);
+ } else {
+ seretval=setfscreatecon(scontext);
+ if (seretval < 0)
+ dbg("setfiles %s failed with
error '%s'",
+ p, strerror(errno));
+ /* after mkdir, free the context */
+ freecon(scontext);
+ }
+ }
+#endif
retval = mkdir(p, 0755);
+
if (retval != 0) {
dbg("mkdir(%s) failed with error '%s'",
p, strerror(errno));
@@ -117,6 +140,25 @@
if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) ==
S_IFCHR) &&
(stats.st_rdev == makedev(major, minor))) {
dbg("preserve file '%s', cause it has correct dev_t", file);
+#ifdef WITH_SELINUX
+ /* lkcl: maybe someone would like to do the same thing with
se/linux
+ * security contexts (check they are the same) but hey, not me!
+ */
+ if (selinux_enabled) {
+ security_context_t scontext=NULL;
+ retval = matchpathcon(file, mode, &scontext);
+ if (retval < 0) {
+ dbg("matchpathcon(%s) failed\n", file);
+ } else {
+ retval=setfilecon(file, scontext);
+ if (retval < 0)
+ dbg("setfiles %s failed with error
'%s'",
+ file, strerror(errno));
+ freecon(scontext);
+ }
+ }
+#endif
+
if (udev_preserve_owner)
goto exit;
else
@@ -129,6 +171,23 @@
dbg("already present file '%s' unlinked", file);
create:
+#ifdef WITH_SELINUX
+ if (selinux_enabled) {
+ int seretval = 0;
+ security_context_t scontext=NULL;
+ seretval = matchpathcon(file, mode, &scontext);
+ if (seretval < 0) {
+ dbg("matchpathcon(%s) failed\n", file);
+ } else {
+ retval=setfscreatecon(scontext);
+ if (retval < 0)
+ dbg("setfiles %s failed with error '%s'",
+ file, strerror(errno));
+ freecon(scontext);
+ }
+ }
+#endif
+
retval = mknod(file, mode, makedev(major, minor));
if (retval != 0) {
dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
@@ -307,6 +366,23 @@
dbg("symlink(%s, %s)", linktarget, filename);
if (!fake) {
+#ifdef WITH_SELINUX
+ if (selinux_enabled) {
+ int seretval = 0;
+ security_context_t scontext=NULL;
+ seretval = matchpathcon(filename, S_IFLNK,
&scontext);
+ if (seretval < 0) {
+ dbg("matchpathcon(%s) failed\n",
filename);
+ } else {
+ seretval=setfscreatecon(scontext);
+ if (seretval < 0)
+ dbg("setfscreatecon %s failed
with error '%s'",
+ filename, strerror(errno));
+ freecon(scontext);
+ }
+ }
+#endif
+
unlink(filename);
if (symlink(linktarget, filename) != 0)
dbg("symlink(%s, %s) failed with error '%s'",
@@ -406,6 +482,13 @@
char *pos;
int retval;
+#ifdef WITH_SELINUX
+ int seretval=0;
+ security_context_t prev_scontext=NULL;
+ if (selinux_enabled < 0 )
+ selinux_enabled = (is_selinux_enabled() > 0);
+#endif
+
memset(&dev, 0x00, sizeof(dev));
dev.type = get_device_type(path, subsystem);
@@ -441,6 +524,24 @@
dbg("name='%s'", dev.name);
+#ifdef WITH_SELINUX
+ /* record the present security context, for file-creation
+ * restoration creation purposes.
+ *
+ * we're going to assume that between now and the time that
+ * this context is restored that the only filecreation of any
+ * kind to occur will be mknod, symlink and mkdirs.
+ */
+
+ if (selinux_enabled)
+ {
+ prev_scontext=NULL;
+ seretval = getfscreatecon(&prev_scontext);
+ if (seretval < 0) {
+ dbg("getfscreatecon failed\n");
+ }
+ }
+#endif
switch (dev.type) {
case 'b':
case 'c':
@@ -477,6 +578,17 @@
break;
}
+#ifdef WITH_SELINUX
+ if (selinux_enabled) {
+ /* reset the file create context to its former glory */
+ if (seretval == 0) {
+ if ( setfscreatecon(prev_scontext) < 0 )
+ dbg("setfscreatecon failed\n");
+ freecon(prev_scontext);
+ }
+ }
+#endif
+
exit:
sysfs_close_class_device(class_dev);
--- udev-030/Makefile.selinux 2004-07-09 13:59:09.000000000 -0400
+++ udev-030/Makefile 2004-08-25 16:47:52.000000000 -0400
@@ -25,6 +25,8 @@
# Leave this set to `false' for production use.
DEBUG = false
+# Set this to compile with Security-Enhanced Linux support.
+WITH_SELINUX = true
ROOT = udev
DAEMON = udevd
@@ -172,6 +175,13 @@
CFLAGS += -I$(PWD)/libsysfs
+ifeq ($(strip $(WITH_SELINUX)),true)
+ LIB_OBJS += \
+ -lselinux
+ CFLAGS += \
+ -DWITH_SELINUX
+endif
+
all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER)
@extras="$(EXTRAS)" ; for target in $$extras ; do \
echo $$target ; \
|
