From 8481f8ce2bd2b19ebcf3cb96ac6825093f626b0f Mon Sep 17 00:00:00 2001 From: "greg@kroah.com" Date: Sat, 28 Feb 2004 00:52:20 -0800 Subject: [PATCH] [PATCH] Add initial SELinux support for udev Based on a patch from Daniel J Walsh --- Makefile | 8 ++++++++ README | 6 ++++++ udev-add.c | 4 ++++ udev.spec | 15 +++++++++++++++ udev_selinux.c | 34 ++++++++++++++++++++++++++++++++++ udev_selinux.h | 10 ++++++++++ 6 files changed, 77 insertions(+) create mode 100644 udev_selinux.c create mode 100644 udev_selinux.h diff --git a/Makefile b/Makefile index d58569f5..b24e1478 100644 --- a/Makefile +++ b/Makefile @@ -227,6 +227,14 @@ ifeq ($(USE_DBUS), true) OBJS += udev_dbus.o endif +# if USE_SELINUX is enabled, then we do not strip or optimize +ifeq ($(strip $(USE_SELINUX)),true) + CFLAGS += -DUSE_SELINUX + OBJS += udev_selinux.o + LIB_OBJS += -lselinux +endif + + # header files automatically generated GEN_HEADERS = udev_version.h diff --git a/README b/README index c6391210..75d642c9 100644 --- a/README +++ b/README @@ -49,6 +49,11 @@ To use: creates or removes a device node. This requires that DBUS development headers and libraries be present on your system to build properly. Default value is 'false'. + USE_SELINUX + if set to 'true', SELinux support for udev will be built in. + This requires that SELinux development headers and libraries be + present on your system to build properly. Default value is + 'false'. DEBUG if set to 'true', debugging messages will be sent to the syslog as udev is run. Default value is 'false'. @@ -97,3 +102,4 @@ greg@kroah.com + diff --git a/udev-add.c b/udev-add.c index 0d313130..2f64b437 100644 --- a/udev-add.c +++ b/udev-add.c @@ -38,6 +38,7 @@ #include "udev.h" #include "udev_version.h" #include "udev_dbus.h" +#include "udev_selinux.h" #include "logging.h" #include "namedev.h" #include "udevdb.h" @@ -217,6 +218,9 @@ static int create_node(struct udevice *dev, int fake) } } + if (!fake) + selinux_add_node(filename); + /* create symlink if requested */ if (dev->symlink[0] != '\0') { symlinks = dev->symlink; diff --git a/udev.spec b/udev.spec index 63d1835a..4cd1f8a9 100644 --- a/udev.spec +++ b/udev.spec @@ -16,6 +16,11 @@ # 1 - DBUS support %define dbus 0 +# if we want to build SELinux support in or not. +# 0 - no SELinux support +# 1 - SELinux support +%define selinux 1 + # if we want to enable debugging support in udev. If it is enabled, lots of # stuff will get sent to the debug syslog. # 0 - debugging disabled @@ -67,6 +72,11 @@ make CC="gcc $RPM_OPT_FLAGS" \ %else USE_DBUS=false \ %endif +%if %{selinux} + USE_SELINUX=true \ +%else + USE_SELINUX=false \ +%endif %if %{debug} DEBUG=true \ %else @@ -85,6 +95,11 @@ make DESTDIR=$RPM_BUILD_ROOT install \ %else USE_DBUS=false \ %endif +%if %{selinux} + USE_SELINUX=true \ +%else + USE_SELINUX=false \ +%endif %if %{lsb} USE_LSB=true \ %else diff --git a/udev_selinux.c b/udev_selinux.c new file mode 100644 index 00000000..3728fd0b --- /dev/null +++ b/udev_selinux.c @@ -0,0 +1,34 @@ +#include +#include +#include +#include +#include +#include +#include +#include + +#include "udev.h" +#include "udev_version.h" +#include "udev_selinux.h" +#include "logging.h" + + +void selinux_add_node(char *filename) +{ + int retval; + + if (is_selinux_enabled() > 0) { + security_context_t scontext; + retval = matchpathcon(filename, 0, &scontext); + if (retval < 0) { + dbg("matchpathcon(%s) failed\n", filename); + } else { + retval=setfilecon(filename,scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + filename, strerror(errno)); + free(scontext); + } + } +} + diff --git a/udev_selinux.h b/udev_selinux.h new file mode 100644 index 00000000..77a1f36b --- /dev/null +++ b/udev_selinux.h @@ -0,0 +1,10 @@ +#ifndef UDEV_SELINUX_H +#define UDEV_SELINUX_H + +#ifdef USE_SELINUX +extern void selinux_add_node(char *filename); +#else +static void selinux_add_node(char *filename) { } +#endif + +#endif -- 2.39.5