[PATCH] Add initial SELinux support for udev

Based on a patch from Daniel J Walsh <dwalsh@redhat.com>

diff --git a/Makefile b/Makefile
index d58569f5815d900230d9130d4ca650b943782ff4..b24e147838f6d4613bc942eb84affcc274d167f7 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -227,6 +227,14 @@ ifeq ($(USE_DBUS), true)
        OBJS += udev_dbus.o
 endif
 
        OBJS += udev_dbus.o
 endif
 

+# if USE_SELINUX is enabled, then we do not strip or optimize
+ifeq ($(strip $(USE_SELINUX)),true)
+       CFLAGS  += -DUSE_SELINUX
+       OBJS += udev_selinux.o
+       LIB_OBJS += -lselinux
+endif
+
+

 # header files automatically generated
 GEN_HEADERS =  udev_version.h
 
 # header files automatically generated
 GEN_HEADERS =  udev_version.h
 

diff --git a/README b/README
index c63912101a403cfd91dc81adb84591220b56f0a2..75d642c94238087306e4812a09edc2e049853e37 100644 (file)
--- a/README
+++ b/README
@@ -49,6 +49,11 @@ To use:
                creates or removes a device node.  This requires that DBUS
                development headers and libraries be present on your system to
                build properly.  Default value is 'false'.
                creates or removes a device node.  This requires that DBUS
                development headers and libraries be present on your system to
                build properly.  Default value is 'false'.

+       USE_SELINUX
+               if set to 'true', SELinux support for udev will be built in.
+               This requires that SELinux development headers and libraries be
+               present on your system to build properly.  Default value is
+               'false'.

        DEBUG
                if set to 'true', debugging messages will be sent to the syslog
                as udev is run.  Default value is 'false'.
        DEBUG
                if set to 'true', debugging messages will be sent to the syslog
                as udev is run.  Default value is 'false'.


@@ -97,3 +102,4 @@ greg@kroah.com
 
 
 
 
 
 

+

diff --git a/udev-add.c b/udev-add.c
index 0d3131300ff9d175373d79d897493b7c3d376381..2f64b4375ab8019409f289f48b4cb2cd22f14171 100644 (file)
--- a/udev-add.c
+++ b/udev-add.c
@@ -38,6 +38,7 @@
 #include "udev.h"
 #include "udev_version.h"
 #include "udev_dbus.h"
 #include "udev.h"
 #include "udev_version.h"
 #include "udev_dbus.h"

+#include "udev_selinux.h"

 #include "logging.h"
 #include "namedev.h"
 #include "udevdb.h"
 #include "logging.h"
 #include "namedev.h"
 #include "udevdb.h"


@@ -217,6 +218,9 @@ static int create_node(struct udevice *dev, int fake)
                }
        }
 
                }
        }
 

+       if (!fake)
+               selinux_add_node(filename);
+

        /* create symlink if requested */
        if (dev->symlink[0] != '\0') {
                symlinks = dev->symlink;
        /* create symlink if requested */
        if (dev->symlink[0] != '\0') {
                symlinks = dev->symlink;

diff --git a/udev.spec b/udev.spec
index 63d1835a4a0e9d8d413bd5901a0604ef75269e88..4cd1f8a94bc9aaba8170826f49e1bae3fb6b5ef3 100644 (file)
--- a/udev.spec
+++ b/udev.spec
@@ -16,6 +16,11 @@
 # 1 - DBUS support
 %define dbus 0
 
 # 1 - DBUS support
 %define dbus 0
 

+# if we want to build SELinux support in or not.
+# 0 - no SELinux support
+# 1 - SELinux support
+%define selinux 1 
+

 # if we want to enable debugging support in udev.  If it is enabled, lots of 
 # stuff will get sent to the debug syslog.
 # 0 - debugging disabled
 # if we want to enable debugging support in udev.  If it is enabled, lots of 
 # stuff will get sent to the debug syslog.
 # 0 - debugging disabled


@@ -67,6 +72,11 @@ make CC="gcc $RPM_OPT_FLAGS" \
 %else
        USE_DBUS=false          \
 %endif
 %else
        USE_DBUS=false          \
 %endif

+%if %{selinux}
+       USE_SELINUX=true        \
+%else
+       USE_SELINUX=false       \
+%endif

 %if %{debug}
        DEBUG=true              \
 %else
 %if %{debug}
        DEBUG=true              \
 %else


@@ -85,6 +95,11 @@ make DESTDIR=$RPM_BUILD_ROOT install \
 %else
        USE_DBUS=false          \
 %endif
 %else
        USE_DBUS=false          \
 %endif

+%if %{selinux}
+       USE_SELINUX=true        \
+%else
+       USE_SELINUX=false       \
+%endif

 %if %{lsb}
        USE_LSB=true            \
 %else
 %if %{lsb}
        USE_LSB=true            \
 %else

diff --git a/udev_selinux.c b/udev_selinux.c
new file mode 100644 (file)
index 0000000..3728fd0
--- /dev/null
+++ b/udev_selinux.c
@@ -0,0 +1,34 @@
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+
+#include "udev.h"
+#include "udev_version.h"
+#include "udev_selinux.h"
+#include "logging.h"
+
+
+void selinux_add_node(char *filename)
+{
+       int retval;
+
+       if (is_selinux_enabled() > 0) {
+               security_context_t scontext;
+               retval = matchpathcon(filename, 0, &scontext);
+               if (retval < 0) {
+                       dbg("matchpathcon(%s) failed\n", filename);
+               } else {
+                       retval=setfilecon(filename,scontext);
+                       if (retval < 0)
+                               dbg("setfiles %s failed with error '%s'",
+                                   filename, strerror(errno));
+                       free(scontext);
+               }
+       }
+}
+

diff --git a/udev_selinux.h b/udev_selinux.h
new file mode 100644 (file)
index 0000000..77a1f36
--- /dev/null
+++ b/udev_selinux.h
@@ -0,0 +1,10 @@
+#ifndef UDEV_SELINUX_H
+#define UDEV_SELINUX_H
+
+#ifdef USE_SELINUX
+extern void selinux_add_node(char *filename);
+#else
+static void selinux_add_node(char *filename) { }
+#endif
+
+#endif