From: Kay Sievers <kay.sievers@vrfy.org>
Date: Tue, 31 Aug 2010 19:29:21 +0000 (+0200)
Subject: set SELinux context on 'add' but not on 'change' events
X-Git-Tag: 174~352
X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=326c5fc3ea684825629eccaf33a548759162a539;p=systemd

set SELinux context on 'add' but not on 'change' events
---

diff --git a/udev/udev-node.c b/udev/udev-node.c
index 228b3ebe..c8113f10 100644
--- a/udev/udev-node.c
+++ b/udev/udev-node.c
@@ -56,10 +56,17 @@ int udev_node_mknod(struct udev_device *dev, const char *file, mode_t mode, uid_
 				info(udev, "set permissions %s, %#o, uid=%u, gid=%u\n", file, mode, uid, gid);
 				chmod(file, mode);
 				chown(file, uid, gid);
-				udev_selinux_lsetfilecon(udev, file, mode);
 			} else {
 				info(udev, "preserve permissions %s, %#o, uid=%u, gid=%u\n", file, mode, uid, gid);
 			}
+			/*
+			 * Set initial selinux file context only on add events.
+			 * We set the proper context on bootup (triger) or for newly
+			 * added devices, but we don't change it later, in case
+			 * something else has set a custom context in the meantime.
+			 */
+			if (strcmp(udev_device_get_action(dev), "add") == 0)
+				udev_selinux_lsetfilecon(udev, file, mode);
 			/* always update timestamp when we re-use the node, like on media change events */
 			utimensat(AT_FDCWD, file, NULL, 0);
 		} else {