[PATCH] mdev - add SELinux support
Amadeusz Sławiński
amade at asmblr.net
Mon Jan 20 15:56:57 UTC 2014
On Mon, 20 Jan 2014 09:43:24 -0500
Daniel J Walsh <dwalsh at redhat.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote:
>
> A better patch would be to use setfscreatecon(scontext) before the
> mknod. And setfscreatecon(NULL) after.
>
>
> Pseuod code
> #if ENABLE_SELINUX
> security_context_t scontext = NULL;
> char *node_path = xasprintf("/dev/%s", node_name);
> if (matchpathcon(node_path, rule->mode | type, &scontext) ==
> 0) { setfscreatecon(scontext);
> freecon(scontext);
> #endif
> if (mknod(node_name, rule->mode | type, makedev(major,
> minor)) && errno != EEXIST)
> bb_perror_msg("can't create '%s'", node_name);
> #if ENABLE_SELINUX
> setfscreatecon(NULL);
> #endif
>
> That way you eliminate a potential race condition where the node is
> temporarily mislabeled.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1
> uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu
> =6kck
> -----END PGP SIGNATURE-----
I don't mind doing it like this, in fact first version of this patch
looked almost exactly same.
My reasoning for doing it the other way is that some nodes (at least on
gentoo - console, tty, tty1, null, kmsg) are created before and labels
on those need to be fixed (one can of course edit his scripts and run
restorecon). Also it should work better this way with people using
devtmpfs to mount/automount /dev, even though they later use mdev.
Amadeusz
More information about the busybox
mailing list