Re: Cleaned up udev-selinux patch

Re: Cleaned up udev-selinux patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 735 bytes --]

Greg KH wrote:

>On Thu, Aug 26, 2004 at 11:15:07AM -0400, Daniel J Walsh wrote:
>  
>
>>This will create the security contexts on the fly.
>>
>>Please comment on what would be needed to get this acceptable?
>>    
>>
>
>Same things I said on the mailing list:
>	- fix coding style
>	- no ifdefs in .c files
>	- make the selinux stuff all be in its own file
>	- make the build flag look like the other build flags
>	- not make the makefile changes have silly line continuations
>	  when not needed :)
>	- post the patch on the mailing list (linux-hotplug-devel) for
>	  others to comment on after fixing the above.
>
>thanks,
>
>greg k-h
>  
>
Another pass at a cleaned up patch.  This time attempting to folow Greg 
guidelines.

Dan


[-- Attachment #2: udev-030-selinux.patch --]
[-- Type: text/x-patch, Size: 4830 bytes --]

--- /dev/null	2004-06-21 15:29:38.000000000 -0400
+++ udev-030/selinux.h	2004-08-26 13:14:05.730808665 -0400
@@ -0,0 +1,87 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+#ifndef USE_SELINUX
+#define set_selinux_set_context(file, mode)     do { } while (0)
+#define selinux_setup_context(file, mode)       do { } while (0)
+#define selinux_init()                          do { } while (0)
+#define selinux_restore()                       do { } while (0)
+
+#else
+
+#include <selinux/selinux.h>
+
+static int selinux_enabled=-1;
+static security_context_t prev_scontext=NULL;
+
+#undef is_selinux_running
+static inline int is_selinux_running(void) {
+	if ( selinux_enabled==-1 ) 
+		return selinux_enabled=is_selinux_enabled()>0;
+	return selinux_enabled;
+}
+#undef selinux_set_context
+static inline void selinux_set_context(char *file, unsigned int mode) { 
+	if (is_selinux_running()) {
+		security_context_t scontext=NULL;
+		if (matchpathcon(file, mode, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			
+			if (setfilecon(file, scontext) < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+
+#undef selinux_setup_context
+static inline void selinux_setup_context(char *file, unsigned int mode) {
+	int retval = 0;
+	security_context_t scontext=NULL;
+
+	if (is_selinux_running()) {
+		if (matchpathcon(file, S_IFDIR, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			retval=setfscreatecon(scontext);
+			if (retval < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+#undef selinux_init
+static inline void selinux_init(void) {
+	/* record the present security context, for file-creation
+	 * restoration creation purposes.
+	 *
+	 * we're going to assume that between now and the time that
+	 * this context is restored that the only filecreation of any
+	 * kind to occur will be mknod, symlink and mkdirs.
+	 */
+
+	if (is_selinux_running())
+	{
+		if (getfscreatecon(&prev_scontext) < 0) {
+			dbg("getfscreatecon failed\n");
+		}
+		prev_scontext=NULL;
+	}
+}
+#undef selinux_restore
+static inline void selinux_restore(void) {
+	if (is_selinux_running()) {
+		/* reset the file create context to its former glory */
+		if ( setfscreatecon(prev_scontext) < 0 )
+			dbg("setfscreatecon failed\n");
+		if (prev_scontext) {
+			freecon(prev_scontext);
+			prev_scontext=NULL;
+		}
+	}
+}
+#endif /* USE_SELINUX */
+#endif /* SELINUX_H */
--- udev-030/udev-add.c.selinux	2004-08-26 13:06:56.098297558 -0400
+++ udev-030/udev-add.c	2004-08-26 13:22:39.521226968 -0400
@@ -50,6 +50,8 @@
 
 #define LOCAL_USER "$local"
 
+#include "selinux.h"
+
 /* 
  * Right now the major/minor of a device is stored in a file called
  * "dev" in sysfs.
@@ -92,6 +94,7 @@
 			break;
 		*pos = 0x00;
 		if (stat(p, &stats)) {
+			selinux_setup_context(p, S_IFDIR);
 			retval = mkdir(p, 0755);
 			if (retval != 0) {
 				dbg("mkdir(%s) failed with error '%s'",
@@ -117,6 +120,7 @@
 	if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) &&
 	    (stats.st_rdev == makedev(major, minor))) {
 		dbg("preserve file '%s', cause it has correct dev_t", file);
+		selinux_set_context(file,stats.st_mode);
 		if (udev_preserve_owner)
 		  goto exit;
 		else
@@ -129,6 +133,7 @@
 		dbg("already present file '%s' unlinked", file);
 
 create:
+	selinux_setup_context(file, mode);
 	retval = mknod(file, mode, makedev(major, minor));
 	if (retval != 0) {
 		dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
@@ -307,6 +312,7 @@
 
 		dbg("symlink(%s, %s)", linktarget, filename);
 		if (!fake) {
+			selinux_setup_context(filename, S_IFLNK);
 			unlink(filename);
 			if (symlink(linktarget, filename) != 0)
 				dbg("symlink(%s, %s) failed with error '%s'",
@@ -441,6 +447,7 @@
 
 	dbg("name='%s'", dev.name);
 
+	selinux_init();
 	switch (dev.type) {
 	case 'b':
 	case 'c':
@@ -478,6 +485,7 @@
 	}
 
 exit:
+	selinux_restore();
 	sysfs_close_class_device(class_dev);
 
 	return retval;
--- udev-030/Makefile.selinux	2004-07-09 13:59:09.000000000 -0400
+++ udev-030/Makefile	2004-08-26 13:06:56.138293168 -0400
@@ -25,6 +25,8 @@
 # Leave this set to `false' for production use.
 DEBUG = false
 
+# Set this to compile with Security-Enhanced Linux support.
+USE_SELINUX = true
 
 ROOT =		udev
 DAEMON =	udevd
@@ -172,6 +174,11 @@
 
 CFLAGS += -I$(PWD)/libsysfs
 
+ifeq ($(strip $(USE_SELINUX)),true)
+	CFLAGS += -DUSE_SELINUX
+	LIB_OBJS += -lselinux
+endif
+
 all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER)
 	@extras="$(EXTRAS)" ; for target in $$extras ; do \
 		echo $$target ; \
@@ -216,6 +223,7 @@
 		udevdb.h	\
 		klibc_fixups.h	\
 		logging.h	\
+		selinux.h	\
 		list.h
 
 ifeq ($(strip $(USE_KLIBC)),true)

Re: Cleaned up udev-selinux patch

[Greg KH]

On Thu, Aug 26, 2004 at 01:41:03PM -0400, Daniel J Walsh wrote:
> Greg KH wrote:
> 
> >On Thu, Aug 26, 2004 at 11:15:07AM -0400, Daniel J Walsh wrote:
> > 
> >
> >>This will create the security contexts on the fly.
> >>
> >>Please comment on what would be needed to get this acceptable?
> >>   
> >>
> >
> >Same things I said on the mailing list:
> >	- fix coding style
> >	- no ifdefs in .c files
> >	- make the selinux stuff all be in its own file
> >	- make the build flag look like the other build flags
> >	- not make the makefile changes have silly line continuations
> >	  when not needed :)
> >	- post the patch on the mailing list (linux-hotplug-devel) for
> >	  others to comment on after fixing the above.
> >
> >thanks,
> >
> >greg k-h
> > 
> >
> Another pass at a cleaned up patch.  This time attempting to folow Greg 
> guidelines.

Looks good.  Do you really want it all in a .h file?  I don't mind
having the selinux functions being in a .c file and building that if
USE_SELINUX is enabled.

But it's your call, as you are the one going to have to live with the
code :)

thanks,

greg k-h


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Daniel J Walsh]

Greg KH wrote:

>On Thu, Aug 26, 2004 at 01:41:03PM -0400, Daniel J Walsh wrote:
>  
>
>>Greg KH wrote:
>>
>>    
>>
>>>On Thu, Aug 26, 2004 at 11:15:07AM -0400, Daniel J Walsh wrote:
>>>
>>>
>>>      
>>>
>>>>This will create the security contexts on the fly.
>>>>
>>>>Please comment on what would be needed to get this acceptable?
>>>>  
>>>>
>>>>        
>>>>
>>>Same things I said on the mailing list:
>>>	- fix coding style
>>>	- no ifdefs in .c files
>>>	- make the selinux stuff all be in its own file
>>>	- make the build flag look like the other build flags
>>>	- not make the makefile changes have silly line continuations
>>>	  when not needed :)
>>>	- post the patch on the mailing list (linux-hotplug-devel) for
>>>	  others to comment on after fixing the above.
>>>
>>>thanks,
>>>
>>>greg k-h
>>>
>>>
>>>      
>>>
>>Another pass at a cleaned up patch.  This time attempting to folow Greg 
>>guidelines.
>>    
>>
>
>Looks good.  Do you really want it all in a .h file?  I don't mind
>having the selinux functions being in a .c file and building that if
>USE_SELINUX is enabled.
>
>But it's your call, as you are the one going to have to live with the
>code :)
>
>thanks,
>
>greg k-h
>  
>
I copied the way it was being done with logging.h

I already have some updates from comments from other people.

Dan


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Greg KH]

On Thu, Aug 26, 2004 at 03:07:23PM -0400, Daniel J Walsh wrote:
> Greg KH wrote:
> 
> >Looks good.  Do you really want it all in a .h file?  I don't mind
> >having the selinux functions being in a .c file and building that if
> >USE_SELINUX is enabled.
> >
> >But it's your call, as you are the one going to have to live with the
> >code :)
> 
> I copied the way it was being done with logging.h

Yeah, but logging.h has such tiny functions :)

Anyway, it's your decision.

> I already have some updates from comments from other people.

Ok, feel free to send me a patch when you feel it should be applied.

thanks,

greg k-h


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Luke Kenneth Casson Leighton]

On Thu, Aug 26, 2004 at 01:41:03PM -0400, Daniel J Walsh wrote:

like this:


--- /dev/null	2004-06-21 15:29:38.000000000 -0400
+++ udev-030/selinux.h	2004-08-26 13:14:05.730808665 -0400
@@ -0,0 +1,87 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+#ifndef USE_SELINUX
+#define set_selinux_set_context(file, mode)     do { } while (0)
+#define selinux_setup_context(file, mode)       do { } while (0)
+#define selinux_init()                          do { } while (0)
+#define selinux_restore()                       do { } while (0)
+
+#else
+
+#define set_selinux_set_context real_set_selinux_context
+#define set_selinux_setup_context real_set_setup_context
+...

--- /dev/null	2004-06-21 15:29:38.000000000 -0400
+++ udev-030/selinux.c	2004-08-26 13:14:05.730808665 -0400

+#include <selinux/selinux.h>
+
+static int selinux_enabled=-1;
+static security_context_t prev_scontext=NULL;
+
+#undef is_selinux_running
+static inline int is_selinux_running(void) {
+	if ( selinux_enabled=-1 ) 
+		return selinux_enabled=is_selinux_enabled()>0;
+	return selinux_enabled;
+}
+#undef selinux_set_context
+void real_selinux_set_context(char *file, unsigned int mode) { 
      ^^^^


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Greg KH]

On Thu, Aug 26, 2004 at 11:59:28PM +0100, Luke Kenneth Casson Leighton wrote:
> perhaps the style should be that the Makefile adds some code
> add_selinux.c based on a configure-time option,
> 
> and that some #ifdefs in a header file call a function which
> is a stub in the header if WITH_SELINUX is not defined.
> 
> bizarre_but_likely_quite_good_coding_style_never_encountered_before.h:

You've never read Linux kernel code, have you :)

> #ifdef WITH_SELINUX
> int do_add_selinux_stuff(args) { return 0; }

Logic is backwards here.

> #else
> #define do_add_selinux_stuff the_real_add_selinux_stuff

This define is unncessary.  Just call the function
do_add_selinux_stuff(), and protype it.

Actually, inline functions that do nothing if selinux is disabled is
better to catch compiler errors with types if things change in the
future.

thanks,

greg k-h


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Luke Kenneth Casson Leighton]

perhaps the style should be that the Makefile adds some code
add_selinux.c based on a configure-time option,

and that some #ifdefs in a header file call a function which
is a stub in the header if WITH_SELINUX is not defined.

bizarre_but_likely_quite_good_coding_style_never_encountered_before.h:

#ifdef WITH_SELINUX
int do_add_selinux_stuff(args) { return 0; }
#else
#define do_add_selinux_stuff the_real_add_selinux_stuff
#endif

and add_selinux.c contains:

int the_real_add_selinux_stuff(args)
{
	....

	return err;
}


On Thu, Aug 26, 2004 at 03:07:23PM -0400, Daniel J Walsh wrote:
> Greg KH wrote:
> 
> >On Thu, Aug 26, 2004 at 01:41:03PM -0400, Daniel J Walsh wrote:
> > 
> >
> >>Greg KH wrote:
> >>
> >>   
> >>
> >>>On Thu, Aug 26, 2004 at 11:15:07AM -0400, Daniel J Walsh wrote:
> >>>
> >>>
> >>>     
> >>>
> >>>>This will create the security contexts on the fly.
> >>>>
> >>>>Please comment on what would be needed to get this acceptable?
> >>>> 
> >>>>
> >>>>       
> >>>>
> >>>Same things I said on the mailing list:
> >>>	- fix coding style
> >>>	- no ifdefs in .c files
> >>>	- make the selinux stuff all be in its own file
> >>>	- make the build flag look like the other build flags
> >>>	- not make the makefile changes have silly line continuations
> >>>	  when not needed :)
> >>>	- post the patch on the mailing list (linux-hotplug-devel) for
> >>>	  others to comment on after fixing the above.
> >>>
> >>>thanks,
> >>>
> >>>greg k-h
> >>>
> >>>
> >>>     
> >>>
> >>Another pass at a cleaned up patch.  This time attempting to folow Greg 
> >>guidelines.
> >>   
> >>
> >
> >Looks good.  Do you really want it all in a .h file?  I don't mind
> >having the selinux functions being in a .c file and building that if
> >USE_SELINUX is enabled.
> >
> >But it's your call, as you are the one going to have to live with the
> >code :)
> >
> >thanks,
> >
> >greg k-h
> > 
> >
> I copied the way it was being done with logging.h
> 
> I already have some updates from comments from other people.
> 
> Dan
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov 
> with
> the words "unsubscribe selinux" without quotes as the message.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />



-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 120 bytes --]

Further cleanup and using all static inlines versus defines.  Renamed a 
couple of functions to make them clearer.

Dan

[-- Attachment #2: udev-030-selinux.patch --]
[-- Type: text/x-patch, Size: 4498 bytes --]

--- /dev/null	2004-06-21 15:29:38.000000000 -0400
+++ udev-030/selinux.h	2004-08-27 09:26:40.160862612 -0400
@@ -0,0 +1,80 @@
+#ifndef SELINUX_H
+#define SELINUX_H
+
+#ifndef USE_SELINUX
+
+static inline void selinux_setfilecon(char *file, unsigned int mode) { }
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {}
+static inline void selinux_init(void) {}
+static inline void selinux_restore(void) {}
+
+#else
+
+#include <selinux/selinux.h>
+
+static int selinux_enabled=-1;
+static security_context_t prev_scontext=NULL;
+
+static inline int is_selinux_running(void) {
+	if ( selinux_enabled==-1 ) 
+		return selinux_enabled=is_selinux_enabled()>0;
+	return selinux_enabled;
+}
+static inline void selinux_setfilecon(char *file, unsigned int mode) { 
+	if (is_selinux_running()) {
+		security_context_t scontext=NULL;
+		if (matchpathcon(file, mode, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			
+			if (setfilecon(file, scontext) < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+
+static inline void selinux_setfscreatecon(char *file, unsigned int mode) {
+	int retval = 0;
+	security_context_t scontext=NULL;
+
+	if (is_selinux_running()) {
+		if (matchpathcon(file, S_IFDIR, &scontext) < 0) {
+			dbg("matchpathcon(%s) failed\n", file);
+		} else {
+			retval=setfscreatecon(scontext);
+			if (retval < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    file, strerror(errno));
+			freecon(scontext);
+		}
+	}
+}
+static inline void selinux_init(void) {
+	/* record the present security context, for file-creation
+	 * restoration creation purposes.
+	 *
+	 */
+
+	if (is_selinux_running())
+	{
+		if (getfscreatecon(&prev_scontext) < 0) {
+			dbg("getfscreatecon failed\n");
+		}
+		prev_scontext=NULL;
+	}
+}
+static inline void selinux_restore(void) {
+	if (is_selinux_running()) {
+		/* reset the file create context to its former glory */
+		if ( setfscreatecon(prev_scontext) < 0 )
+			dbg("setfscreatecon failed\n");
+		if (prev_scontext) {
+			freecon(prev_scontext);
+			prev_scontext=NULL;
+		}
+	}
+}
+#endif /* USE_SELINUX */
+#endif /* SELINUX_H */
--- udev-030/udev-add.c.selinux	2004-08-26 13:06:56.000000000 -0400
+++ udev-030/udev-add.c	2004-08-26 14:16:05.000000000 -0400
@@ -50,6 +50,8 @@
 
 #define LOCAL_USER "$local"
 
+#include "selinux.h"
+
 /* 
  * Right now the major/minor of a device is stored in a file called
  * "dev" in sysfs.
@@ -92,6 +94,7 @@
 			break;
 		*pos = 0x00;
 		if (stat(p, &stats)) {
+			selinux_setfscreatecon(p, S_IFDIR);
 			retval = mkdir(p, 0755);
 			if (retval != 0) {
 				dbg("mkdir(%s) failed with error '%s'",
@@ -117,6 +120,7 @@
 	if (((stats.st_mode & S_IFMT) == S_IFBLK || (stats.st_mode & S_IFMT) == S_IFCHR) &&
 	    (stats.st_rdev == makedev(major, minor))) {
 		dbg("preserve file '%s', cause it has correct dev_t", file);
+		selinux_setfilecon(file,stats.st_mode);
 		if (udev_preserve_owner)
 		  goto exit;
 		else
@@ -129,6 +133,7 @@
 		dbg("already present file '%s' unlinked", file);
 
 create:
+	selinux_setfscreatecon(file, mode);
 	retval = mknod(file, mode, makedev(major, minor));
 	if (retval != 0) {
 		dbg("mknod(%s, %#o, %u, %u) failed with error '%s'",
@@ -307,6 +312,7 @@
 
 		dbg("symlink(%s, %s)", linktarget, filename);
 		if (!fake) {
+			selinux_setfscreatecon(filename, S_IFLNK);
 			unlink(filename);
 			if (symlink(linktarget, filename) != 0)
 				dbg("symlink(%s, %s) failed with error '%s'",
@@ -441,6 +447,7 @@
 
 	dbg("name='%s'", dev.name);
 
+	selinux_init();
 	switch (dev.type) {
 	case 'b':
 	case 'c':
@@ -478,6 +485,7 @@
 	}
 
 exit:
+	selinux_restore();
 	sysfs_close_class_device(class_dev);
 
 	return retval;
--- udev-030/Makefile.selinux	2004-07-09 13:59:09.000000000 -0400
+++ udev-030/Makefile	2004-08-27 09:28:25.080035864 -0400
@@ -25,6 +25,8 @@
 # Leave this set to `false' for production use.
 DEBUG = false
 
+# Set this to compile with Security-Enhanced Linux support.
+USE_SELINUX = true
 
 ROOT =		udev
 DAEMON =	udevd
@@ -172,6 +174,11 @@
 
 CFLAGS += -I$(PWD)/libsysfs
 
+ifeq ($(strip $(USE_SELINUX)),true)
+	CFLAGS += -DUSE_SELINUX
+	LIB_OBJS += -lselinux
+endif
+
 all: $(ROOT) $(SENDER) $(DAEMON) $(INFO) $(TESTER) $(STARTER)
 	@extras="$(EXTRAS)" ; for target in $$extras ; do \
 		echo $$target ; \
@@ -216,6 +223,7 @@
 		udevdb.h	\
 		klibc_fixups.h	\
 		logging.h	\
+		selinux.h	\
 		list.h
 
 ifeq ($(strip $(USE_KLIBC)),true)

Re: Cleaned up udev-selinux patch

[Luke Kenneth Casson Leighton]

On Thu, Aug 26, 2004 at 03:56:40PM -0700, Greg KH wrote:
> On Thu, Aug 26, 2004 at 11:59:28PM +0100, Luke Kenneth Casson Leighton wrote:
> > perhaps the style should be that the Makefile adds some code
> > add_selinux.c based on a configure-time option,
> > 
> > and that some #ifdefs in a header file call a function which
> > is a stub in the header if WITH_SELINUX is not defined.
> > 
> > bizarre_but_likely_quite_good_coding_style_never_encountered_before.h:
> 
> You've never read Linux kernel code, have you :)
 
 all the tiime :)

 no, but seriously i have: i spent about three months porting linux
 to the xda-2 (400mhz intel-arm pxa263)

 l.


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[James Morris]

On Fri, 27 Aug 2004, Daniel J Walsh wrote:

> Further cleanup and using all static inlines versus defines.  Renamed a 
> couple of functions to make them clearer.

I think Luke is right, these functions should be in a .c file.


- James
-- 
James Morris
<jmorris@redhat.com>




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id\x10808&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Luke Kenneth Casson Leighton]

On Fri, Aug 27, 2004 at 09:32:02AM -0400, Daniel J Walsh wrote:

> Further cleanup and using all static inlines versus defines.  Renamed a 
> couple of functions to make them clearer.
 
> +}
> +static inline void selinux_setfilecon(char *file, unsigned int mode) { 
> +	if (is_selinux_running()) {
> +		security_context_t scontext=NULL;
> +		if (matchpathcon(file, mode, &scontext) < 0) {
> +			dbg("matchpathcon(%s) failed\n", file);
> +		} else {
> +			
> +			if (setfilecon(file, scontext) < 0)
> +				dbg("setfiles %s failed with error '%s'",
> +				    file, strerror(errno));
> +			freecon(scontext);
> +		}
> +	}
> +}
> +
> +static inline void selinux_setfscreatecon(char *file, unsigned int mode) {
> +	int retval = 0;
> +	security_context_t scontext=NULL;
> +
> +	if (is_selinux_running()) {
> +		if (matchpathcon(file, S_IFDIR, &scontext) < 0) {
                               ^^^^^^^

	this should be matchpathcon(file, mode, &scontext)


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id\x10808&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel

Re: Cleaned up udev-selinux patch

[Luke Kenneth Casson Leighton]

found the original message.  not sure if post ever made it to lists.

bug highlighted with ^^^^

please acknowledge receipt of message, confirming awareness of bug in
patch.

thanks.

l.

On Fri, Aug 27, 2004 at 09:32:02AM -0400, Daniel J Walsh wrote:
> Further cleanup and using all static inlines versus defines.  Renamed a 
> couple of functions to make them clearer.
> 
> Dan

> --- /dev/null	2004-06-21 15:29:38.000000000 -0400
> +++ udev-030/selinux.h	2004-08-27 09:26:40.160862612 -0400

> +static inline void selinux_setfscreatecon(char *file, unsigned int mode) {
> +	int retval = 0;
> +	security_context_t scontext=NULL;
> +
> +	if (is_selinux_running()) {
> +		if (matchpathcon(file, S_IFDIR, &scontext) < 0) {
                               ^^^^^^^

 this should be matchpatchon(file, mode, &scontext)

> +			dbg("matchpathcon(%s) failed\n", file);
> +		} else {
> +			retval=setfscreatecon(scontext);
> +			if (retval < 0)
> +				dbg("setfiles %s failed with error '%s'",
> +				    file, strerror(errno));
> +			freecon(scontext);
> +		}


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_idP47&alloc_id\x10808&op=click
_______________________________________________
Linux-hotplug-devel mailing list  http://linux-hotplug.sourceforge.net
Linux-hotplug-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-hotplug-devel