Rewritten patch.
Dan
--- udev-030/udev-add.c.selinux 2004-08-25 16:47:52.000000000 -0400 +++ udev-030/udev-add.c 2004-08-26 07:59:42.007575846 -0400 @@ -50,6 +50,11 @@ #define LOCAL_USER "$local" +#ifdef WITH_SELINUX +#include <selinux/selinux.h> +static int selinux_enabled=-1; +#endif + /* * Right now the major/minor of a device is stored in a file called * "dev" in sysfs. @@ -92,7 +97,25 @@ break; *pos = 0x00; if (stat(p, &stats)) { +#ifdef WITH_SELINUX + if (selinux_enabled) { + int seretval = 0; + security_context_t scontext=NULL; + seretval = matchpathcon(p, S_IFDIR, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", p); + } else { + seretval=setfscreatecon(scontext); + if (seretval < 0) + dbg("setfiles %s failed with error '%s'", + p, strerror(errno)); + /* after mkdir, free the context */ + freecon(scontext); + } + } +#endif retval = mkdir(p, 0755); + if (retval != 0) { dbg("mkdir(%s) failed with error '%s'", p, strerror(errno)); @@ -117,6 +140,25 @@ if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) && (stats.st_rdev == makedev(major, minor))) { dbg("preserve file '%s', cause it has correct dev_t", file); +#ifdef WITH_SELINUX + /* lkcl: maybe someone would like to do the same thing with se/linux + * security contexts (check they are the same) but hey, not me! + */ + if (selinux_enabled) { + security_context_t scontext=NULL; + retval = matchpathcon(file, mode, &scontext); + if (retval < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + retval=setfilecon(file, scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } + } +#endif + if (udev_preserve_owner) goto exit; else @@ -129,6 +171,23 @@ dbg("already present file '%s' unlinked", file); create: +#ifdef WITH_SELINUX + if (selinux_enabled) { + int seretval = 0; + security_context_t scontext=NULL; + seretval = matchpathcon(file, mode, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + retval=setfscreatecon(scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } + } +#endif + retval = mknod(file, mode, makedev(major, minor)); if (retval != 0) { dbg("mknod(%s, %#o, %u, %u) failed with error '%s'", @@ -307,6 +366,23 @@ dbg("symlink(%s, %s)", linktarget, filename); if (!fake) { +#ifdef WITH_SELINUX + if (selinux_enabled) { + int seretval = 0; + security_context_t scontext=NULL; + seretval = matchpathcon(filename, S_IFLNK, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", filename); + } else { + seretval=setfscreatecon(scontext); + if (seretval < 0) + dbg("setfscreatecon %s failed with error '%s'", + filename, strerror(errno)); + freecon(scontext); + } + } +#endif + unlink(filename); if (symlink(linktarget, filename) != 0) dbg("symlink(%s, %s) failed with error '%s'", @@ -406,6 +482,13 @@ char *pos; int retval; +#ifdef WITH_SELINUX + int seretval=0; + security_context_t prev_scontext=NULL; + if (selinux_enabled < 0 ) + selinux_enabled = (is_selinux_enabled() > 0); +#endif + memset(&dev, 0x00, sizeof(dev)); dev.type = get_device_type(path, subsystem); @@ -441,6 +524,24 @@ dbg("name='%s'", dev.name); +#ifdef WITH_SELINUX + /* record the present security context, for file-creation + * restoration creation purposes. + * + * we're going to assume that between now and the time that + * this context is restored that the only filecreation of any + * kind to occur will be mknod, symlink and mkdirs. + */ + + if (selinux_enabled) + { + prev_scontext=NULL; + seretval = getfscreatecon(&prev_scontext); + if (seretval < 0) { + dbg("getfscreatecon failed\n"); + } + } +#endif switch (dev.type) { case 'b': case 'c': @@ -477,6 +578,17 @@ break; } +#ifdef WITH_SELINUX + if (selinux_enabled) { + /* reset the file create context to its former glory */ + if (seretval == 0) { + if ( setfscreatecon(prev_scontext) < 0 ) + dbg("setfscreatecon failed\n"); + freecon(prev_scontext); + } + } +#endif + exit: sysfs_close_class_device(class_dev); --- udev-030/Makefile.selinux 2004-07-09 13:59:09.000000000 -0400 +++ udev-030/Makefile 2004-08-25 16:47:52.000000000 -0400 @@ -25,6 +25,8 @@ # Leave this set to `false' for production use. DEBUG = false +# Set this to compile with Security-Enhanced Linux support. +WITH_SELINUX = true ROOT = udev DAEMON = udevd @@ -172,6 +175,13 @@ CFLAGS += -I$(PWD)/libsysfs +ifeq ($(strip $(WITH_SELINUX)),true) + LIB_OBJS += \ + -lselinux + CFLAGS += \ + -DWITH_SELINUX +endif + all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER) @extras="$(EXTRAS)" ; for target in $$extras ; do \ echo $$target ; \