From mboxrd@z Thu Jan 1 00:00:00 1970 From: Luke Kenneth Casson Leighton Date: Mon, 02 Aug 2004 21:25:20 +0000 Subject: Re: matchfilecon (the program) vs matchfilecon (the libselinux1 fn) Message-Id: <20040802212520.GC6260@lkcl.net> MIME-Version: 1 Content-Type: multipart/mixed; boundary="FkmkrVfFsRoUs1wW" List-Id: References: <20040801172751.GD20103@lkcl.net> <1091455223.23449.66.camel@moss-spartans.epoch.ncsc.mil> <20040802145724.GG4194@lkcl.net> <1091458325.23449.102.camel@moss-spartans.epoch.ncsc.mil> <20040802191243.GJ4194@lkcl.net> <1091474356.23449.272.camel@moss-spartans.epoch.ncsc.mil> In-Reply-To: <1091474356.23449.272.camel@moss-spartans.epoch.ncsc.mil> To: Stephen Smalley Cc: SE-Linux , Linux Hotplug Dev List --FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline p.s. setting permissions on symlinks was missed out, too. _and_ directories. darn. l. -- -- Information I post is with honesty, integrity, and the expectation that you will take full responsibility if acting on the information contained, and that, should you find it to be flawed or even mildly useful, you will act with both honesty and integrity in return - and tell me. -- lkcl.net
lkcl@lkcl.net
--FkmkrVfFsRoUs1wW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=f --- Makefile.orig 2004-08-02 22:23:58.000000000 +0100 +++ Makefile 2004-08-02 22:24:01.000000000 +0100 @@ -25,6 +25,8 @@ # Leave this set to `false' for production use. DEBUG = true +# Set this to compile with Security-Enhanced Linux support. +WITH_SELINUX = true ROOT = udev DAEMON = udevd @@ -39,6 +41,7 @@ LOCAL_CFG_DIR = etc/udev HOTPLUG_EXEC = $(ROOT) + DESTDIR = KERNEL_DIR = /lib/modules/${shell uname -r}/build @@ -172,6 +175,13 @@ CFLAGS += -I$(PWD)/libsysfs +ifeq ($(strip $(WITH_SELINUX)),true) + LIB_OBJS += \ + -lselinux + CFLAGS += \ + -DWITH_SELINUX +endif + all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER) @extras="$(EXTRAS)" ; for target in $$extras ; do \ echo $$target ; \ --- udev-add.c.orig 2004-07-09 18:59:09.000000000 +0100 +++ udev-add.c 2004-08-02 22:23:27.000000000 +0100 @@ -50,6 +50,10 @@ #define LOCAL_USER "$local" +#ifdef WITH_SELINUX +#include +#endif + /* * Right now the major/minor of a device is stored in a file called * "dev" in sysfs. @@ -92,7 +96,31 @@ break; *pos = 0x00; if (stat(p, &stats)) { +#ifdef WITH_SELINUX + int seretval = 0; + security_context_t scontext; + if (is_selinux_enabled() > 0) + { + seretval = matchpathcon(p, 0, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", p); + } else { + seretval=setfscreatecon(scontext); + if (seretval < 0) + dbg("setfiles %s failed with error '%s'", + p, strerror(errno)); + } + } +#endif retval = mkdir(p, 0755); +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) + { + /* after mkdir, free the context */ + freecon(scontext); + } +#endif + if (retval != 0) { dbg("mkdir(%s) failed with error '%s'", p, strerror(errno)); @@ -109,6 +137,10 @@ { struct stat stats; int retval = 0; + int seretval = 0; +#ifdef WITH_SELINUX + security_context_t scontext; +#endif if (stat(file, &stats) != 0) goto create; @@ -117,6 +149,24 @@ if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) && (stats.st_rdev == makedev(major, minor))) { dbg("preserve file '%s', cause it has correct dev_t", file); +#ifdef WITH_SELINUX + /* lkcl: maybe someone would like to do the same thing with se/linux + * security contexts (check they are the same) but hey, not me! + */ + if (is_selinux_enabled() > 0) + { + retval = matchpathcon(file, 0, &scontext); + if (retval < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + retval=setfilecon(scontext, file); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + freecon(scontext); + } + } +#endif goto perms; } @@ -126,6 +176,21 @@ dbg("already present file '%s' unlinked", file); create: +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) + { + seretval = matchpathcon(file, 0, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", file); + } else { + retval=setfscreatecon(scontext); + if (retval < 0) + dbg("setfiles %s failed with error '%s'", + file, strerror(errno)); + } + } +#endif + retval = mknod(file, mode, makedev(major, minor)); if (retval != 0) { dbg("mknod(%s, %#o, %u, %u) failed with error '%s'", @@ -133,6 +198,15 @@ goto exit; } +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) + { + /* after mknod, free the context */ + if (seretval == 0) + freecon(scontext); + } +#endif + perms: dbg("chmod(%s, %#o)", file, mode); if (chmod(file, mode) != 0) { @@ -150,7 +224,7 @@ } exit: - return retval; + return retval < 0 ? retval : seretval; } /* get the local logged in user */ @@ -304,10 +378,36 @@ dbg("symlink(%s, %s)", linktarget, filename); if (!fake) { +#ifdef WITH_SELINUX + int seretval = 0; + security_context_t scontext; + if (is_selinux_enabled() > 0) + { + seretval = matchpathcon(filename, 0, &scontext); + if (seretval < 0) { + dbg("matchpathcon(%s) failed\n", filename); + } else { + seretval=setfscreatecon(scontext); + if (seretval < 0) + dbg("setfiles %s failed with error '%s'", + filename, strerror(errno)); + } + } +#endif + + unlink(filename); if (symlink(linktarget, filename) != 0) dbg("symlink(%s, %s) failed with error '%s'", linktarget, filename, strerror(errno)); +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) + { + /* after symlink, free the context */ + freecon(scontext); + } +#endif + } } --FkmkrVfFsRoUs1wW-- ------------------------------------------------------- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com _______________________________________________ Linux-hotplug-devel mailing list http://linux-hotplug.sourceforge.net Linux-hotplug-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel