[PATCH] Add initial SELinux support for udev

Based on a patch from Daniel J Walsh <dwalsh@redhat.com>

diff --git a/Makefile b/Makefile
index d58569f5815d900230d9130d4ca650b943782ff4..b24e147838f6d4613bc942eb84affcc274d167f7 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -227,6 +227,14 @@ ifeq ($(USE_DBUS), true)
        OBJS += udev_dbus.o
 endif
 
+# if USE_SELINUX is enabled, then we do not strip or optimize
+ifeq ($(strip $(USE_SELINUX)),true)
+       CFLAGS  += -DUSE_SELINUX
+       OBJS += udev_selinux.o
+       LIB_OBJS += -lselinux
+endif
+
+
 # header files automatically generated
 GEN_HEADERS =  udev_version.h
 

diff --git a/README b/README
index c63912101a403cfd91dc81adb84591220b56f0a2..75d642c94238087306e4812a09edc2e049853e37 100644 (file)
--- a/README
+++ b/README
@@ -49,6 +49,11 @@ To use:
                creates or removes a device node.  This requires that DBUS
                development headers and libraries be present on your system to
                build properly.  Default value is 'false'.
+       USE_SELINUX
+               if set to 'true', SELinux support for udev will be built in.
+               This requires that SELinux development headers and libraries be
+               present on your system to build properly.  Default value is
+               'false'.
        DEBUG
                if set to 'true', debugging messages will be sent to the syslog
                as udev is run.  Default value is 'false'.
@@ -97,3 +102,4 @@ greg@kroah.com
 
 
 
+

diff --git a/udev-add.c b/udev-add.c
index 0d3131300ff9d175373d79d897493b7c3d376381..2f64b4375ab8019409f289f48b4cb2cd22f14171 100644 (file)
--- a/udev-add.c
+++ b/udev-add.c
@@ -38,6 +38,7 @@
 #include "udev.h"
 #include "udev_version.h"
 #include "udev_dbus.h"
+#include "udev_selinux.h"
 #include "logging.h"
 #include "namedev.h"
 #include "udevdb.h"
@@ -217,6 +218,9 @@ static int create_node(struct udevice *dev, int fake)
                }
        }
 
+       if (!fake)
+               selinux_add_node(filename);
+
        /* create symlink if requested */
        if (dev->symlink[0] != '\0') {
                symlinks = dev->symlink;

diff --git a/udev.spec b/udev.spec
index 63d1835a4a0e9d8d413bd5901a0604ef75269e88..4cd1f8a94bc9aaba8170826f49e1bae3fb6b5ef3 100644 (file)
--- a/udev.spec
+++ b/udev.spec
@@ -16,6 +16,11 @@
 # 1 - DBUS support
 %define dbus 0
 
+# if we want to build SELinux support in or not.
+# 0 - no SELinux support
+# 1 - SELinux support
+%define selinux 1 
+
 # if we want to enable debugging support in udev.  If it is enabled, lots of 
 # stuff will get sent to the debug syslog.
 # 0 - debugging disabled
@@ -67,6 +72,11 @@ make CC="gcc $RPM_OPT_FLAGS" \
 %else
        USE_DBUS=false          \
 %endif
+%if %{selinux}
+       USE_SELINUX=true        \
+%else
+       USE_SELINUX=false       \
+%endif
 %if %{debug}
        DEBUG=true              \
 %else
@@ -85,6 +95,11 @@ make DESTDIR=$RPM_BUILD_ROOT install \
 %else
        USE_DBUS=false          \
 %endif
+%if %{selinux}
+       USE_SELINUX=true        \
+%else
+       USE_SELINUX=false       \
+%endif
 %if %{lsb}
        USE_LSB=true            \
 %else

diff --git a/udev_selinux.c b/udev_selinux.c
new file mode 100644 (file)
index 0000000..3728fd0
--- /dev/null
+++ b/udev_selinux.c
@@ -0,0 +1,34 @@
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+
+#include "udev.h"
+#include "udev_version.h"
+#include "udev_selinux.h"
+#include "logging.h"
+
+
+void selinux_add_node(char *filename)
+{
+       int retval;
+
+       if (is_selinux_enabled() > 0) {
+               security_context_t scontext;
+               retval = matchpathcon(filename, 0, &scontext);
+               if (retval < 0) {
+                       dbg("matchpathcon(%s) failed\n", filename);
+               } else {
+                       retval=setfilecon(filename,scontext);
+                       if (retval < 0)
+                               dbg("setfiles %s failed with error '%s'",
+                                   filename, strerror(errno));
+                       free(scontext);
+               }
+       }
+}
+

diff --git a/udev_selinux.h b/udev_selinux.h
new file mode 100644 (file)
index 0000000..77a1f36
--- /dev/null
+++ b/udev_selinux.h
@@ -0,0 +1,10 @@
+#ifndef UDEV_SELINUX_H
+#define UDEV_SELINUX_H
+
+#ifdef USE_SELINUX
+extern void selinux_add_node(char *filename);
+#else
+static void selinux_add_node(char *filename) { }
+#endif
+
+#endif