[PATCH] mdev - add SELinux support
Daniel J Walsh
dwalsh at redhat.com
Mon Jan 20 14:43:24 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote:
A better patch would be to use setfscreatecon(scontext) before the mknod.
And setfscreatecon(NULL) after.
Pseuod code
#if ENABLE_SELINUX
security_context_t scontext = NULL;
char *node_path = xasprintf("/dev/%s", node_name);
if (matchpathcon(node_path, rule->mode | type, &scontext) == 0) {
setfscreatecon(scontext);
freecon(scontext);
#endif
if (mknod(node_name, rule->mode | type, makedev(major, minor)) && errno !=
EEXIST)
bb_perror_msg("can't create '%s'", node_name);
#if ENABLE_SELINUX
setfscreatecon(NULL);
#endif
That way you eliminate a potential race condition where the node is
temporarily mislabeled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1
uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu
=6kck
-----END PGP SIGNATURE-----
More information about the busybox
mailing list