Here is a fix for the SELinux part of udev.
Setfscreatecon() overrides the default labeling behavior of SELinux when
creating files, so it should only be used for as short of a time as
possible, around the mknod or symlink calls. Without this, the files in
udev_db get the wrong label because the fscreatecon is reset after the
udev_db file creation instead of before. I'm guessing the Redhat people
missed this because they modify udev_db to be one big file instead of a
directory of small files (at least that's what I'm told). I created
selinux_resetfscreatecon() to reset the fscreatecon asap after the
file/node is created.
Fixed a memory leak in selinux_init. Getfscreatecon() allocates memory
for the context, and the udev code was immediately setting the pointer
(security_context_t is actually a typedef'ed char*) to NULL after the
call regardless of success/failure. If you're wondering about the case
where there's effectively a setfscreatecon(NULL), this is ok, as its
used to tell SELinux to do the default labeling behavior.
Renamed selinux_restore() to selinux_exit() due to the changed behavior.
Fixed a couple of dbg() messages.
selinux_setfscreatecon(file, udev->kernel_name, mode);
retval = mknod(file, mode, devt);
selinux_setfscreatecon(file, udev->kernel_name, mode);
retval = mknod(file, mode, devt);
+ selinux_resetfscreatecon();
if (retval != 0) {
dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
file, mode, major(devt), minor(devt), strerror(errno));
if (retval != 0) {
dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
file, mode, major(devt), minor(devt), strerror(errno));
/* create symlink(s) if requested */
foreach_strpart(udev->symlink, " ", pos, len) {
/* create symlink(s) if requested */
foreach_strpart(udev->symlink, " ", pos, len) {
char linkname[NAME_SIZE];
char linktarget[NAME_SIZE];
char linkname[NAME_SIZE];
char linktarget[NAME_SIZE];
dbg("symlink(%s, %s)", linktarget, filename);
if (!udev->test_run) {
dbg("symlink(%s, %s)", linktarget, filename);
if (!udev->test_run) {
- selinux_setfscreatecon(filename, udev->kernel_name, S_IFLNK);
- if (symlink(linktarget, filename) != 0)
+ selinux_setfscreatecon(filename, udev->kernel_name, S_IFLNK);
+ retval = symlink(linktarget, filename);
+ selinux_resetfscreatecon();
+ if (retval != 0)
dbg("symlink(%s, %s) failed with error '%s'",
linktarget, filename, strerror(errno));
}
dbg("symlink(%s, %s) failed with error '%s'",
linktarget, filename, strerror(errno));
}
}
if (setfilecon(file, scontext) < 0)
}
if (setfilecon(file, scontext) < 0)
- dbg("setfiles %s failed with error '%s'", file, strerror(errno));
+ dbg("setfilecon %s failed with error '%s'", file, strerror(errno));
}
if (setfscreatecon(scontext) < 0)
}
if (setfscreatecon(scontext) < 0)
- dbg("setfiles %s failed with error '%s'", file, strerror(errno));
+ dbg("setfscreatecon %s failed with error '%s'", file, strerror(errno));
+void selinux_resetfscreatecon(void)
+{
+ if (is_selinux_running()) {
+ if (setfscreatecon(prev_scontext) < 0)
+ dbg("setfscreatecon %s failed with error '%s'", file, strerror(errno));
+ }
+}
+
void selinux_init(void)
{
/*
void selinux_init(void)
{
/*
* restoration creation purposes.
*/
if (is_selinux_running()) {
* restoration creation purposes.
*/
if (is_selinux_running()) {
- if (getfscreatecon(&prev_scontext) < 0)
+ if (getfscreatecon(&prev_scontext) < 0) {
dbg("getfscreatecon failed\n");
dbg("getfscreatecon failed\n");
-
- prev_scontext = NULL;
+ prev_scontext = NULL;
+ }
-void selinux_restore(void)
- if (is_selinux_running()) {
- /* reset the file create context to its former glory */
- if (setfscreatecon(prev_scontext) < 0)
- dbg("setfscreatecon failed\n");
-
- if (prev_scontext) {
- freecon(prev_scontext);
- prev_scontext = NULL;
- }
+ if (is_selinux_running() && prev_scontext) {
+ freecon(prev_scontext);
+ prev_scontext = NULL;
extern void selinux_setfilecon(const char *file, const char *devname, unsigned int mode);
extern void selinux_setfscreatecon(const char *file, const char *devname, unsigned int mode);
extern void selinux_setfilecon(const char *file, const char *devname, unsigned int mode);
extern void selinux_setfscreatecon(const char *file, const char *devname, unsigned int mode);
+extern void selinux_resetfscreatecon(void);
extern void selinux_init(void);
extern void selinux_init(void);
-extern void selinux_restore(void);
+extern void selinux_exit(void);
#else
static inline void selinux_setfilecon(const char *file, const char *devname, unsigned int mode) {}
static inline void selinux_setfscreatecon(const char *file, const char *devname, unsigned int mode) {}
#else
static inline void selinux_setfilecon(const char *file, const char *devname, unsigned int mode) {}
static inline void selinux_setfscreatecon(const char *file, const char *devname, unsigned int mode) {}
+static inline void selinux_resetfscreatecon(void) {}
static inline void selinux_init(void) {}
static inline void selinux_init(void) {}
-static inline void selinux_restore(void) {}
+static inline void selinux_exit(void) {}
#endif /* USE_SELINUX */
#endif /* _UDEV_USE_SELINUX */
#endif /* USE_SELINUX */
#endif /* _UDEV_USE_SELINUX */