- /*
- * Set initial selinux file context only on add events.
- * We set the proper context on bootup (triger) or for newly
- * added devices, but we don't change it later, in case
- * something else has set a custom context in the meantime.
- */
- if (strcmp(udev_device_get_action(dev), "add") == 0)
- label_fix(devnode, true);
+ if ((stats.st_mode & 0777) != (mode & 0777) || stats.st_uid != uid || stats.st_gid != gid) {
+ log_debug("set permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
+ chmod(devnode, mode);
+ chown(devnode, uid, gid);
+ } else {
+ log_debug("preserve permissions %s, %#o, uid=%u, gid=%u", devnode, mode, uid, gid);
+ }
+
+ /* apply SECLABEL{$module}=$label */
+ udev_list_entry_foreach(entry, udev_list_get_entry(seclabel_list)) {
+ const char *name, *label;
+
+ name = udev_list_entry_get_name(entry);
+ label = udev_list_entry_get_value(entry);
+
+ if (streq(name, "selinux")) {
+ selinux = true;
+ if (label_apply(devnode, label) < 0)
+ log_error("SECLABEL: failed to set SELinux label '%s'", label);
+ else
+ log_debug("SECLABEL: set SELinux label '%s'", label);
+
+ } else if (streq(name, "smack")) {
+ smack = true;
+ if (smack_label_path(devnode, label) < 0)
+ log_error("SECLABEL: failed to set SMACK label '%s'", label);
+ else
+ log_debug("SECLABEL: set SMACK label '%s'", label);
+
+ } else
+ log_error("SECLABEL: unknown subsystem, ignoring '%s'='%s'", name, label);
+ }
+
+ /* set the defaults */
+ if (!selinux)
+ label_fix(devnode, true, false);
+ if (!smack)
+ smack_label_path(devnode, NULL);
+ }