[PATCH] mdev - add SELinux support

Amadeusz Sławiński amade at asmblr.net
Tue Jan 21 00:07:56 UTC 2014 

Add support for relabeling files. Files created or modified by mdev
should now have correct SELinux labels.

It sets file creation context, however if it detects that file exists it
just restores context.

Signed-off-by: Amadeusz Sławiński <amade at asmblr.net>
---
 util-linux/mdev.c | 37 +++++++++++++++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/util-linux/mdev.c b/util-linux/mdev.c
index e80b58f..8ecc122 100644
--- a/util-linux/mdev.c
+++ b/util-linux/mdev.c
@@ -552,6 +552,9 @@ static void make_device(char *device_name, char *path, int operation)
 {
 	int major, minor, type, len;
 	char *path_end = path + strlen(path);
+#if ENABLE_SELINUX
+	int selinux_enabled = is_selinux_enabled();
+#endif
 
 	/* Try to read major/minor string.  Note that the kernel puts \n after
 	 * the data, so we don't need to worry about null terminating the string
@@ -741,6 +744,11 @@ static void make_device(char *device_name, char *path, int operation)
 
 		if (operation == OP_add && major >= 0) {
 			char *slash = strrchr(node_name, '/');
+#if ENABLE_SELINUX
+			security_context_t scontext = NULL;
+			char *node_path;
+			int have_context = 0;
+#endif
 			if (slash) {
 				*slash = '\0';
 				mkdir_recursive(node_name);
@@ -757,8 +765,33 @@ static void make_device(char *device_name, char *path, int operation)
 					node_name, major, minor, rule->mode | type
 				);
 			}
-			if (mknod(node_name, rule->mode | type, makedev(major, minor)) && errno != EEXIST)
-				bb_perror_msg("can't create '%s'", node_name);
+#if ENABLE_SELINUX
+			if (selinux_enabled) {
+				node_path = xasprintf("/dev/%s", node_name);
+				have_context = (matchpathcon(node_path, rule->mode | type, &scontext) == 0);
+				if (have_context)
+					setfscreatecon(scontext);
+			}
+#endif
+			if (mknod(node_name, rule->mode | type, makedev(major, minor))) {
+				if (errno == EEXIST) {
+#if ENABLE_SELINUX
+					if (selinux_enabled && have_context)
+						setfilecon(node_path, scontext);
+#endif
+				} else
+					bb_perror_msg("can't create '%s'", node_name);
+			}
+
+#if ENABLE_SELINUX
+			if (selinux_enabled) {
+				if (have_context)
+					freecon(scontext);
+				setfscreatecon(NULL);
+				free(node_path);
+			}
+#endif
+
 			if (ENABLE_FEATURE_MDEV_CONF) {
 				chmod(node_name, rule->mode);
 				chown(node_name, rule->ugid.uid, rule->ugid.gid);
-- 
1.8.5.3

More information about the busybox mailing list