[PATCH] Add initial SELinux support for udev
Based on a patch from Daniel J Walsh <dwalsh@redhat.com>
This commit is contained in:
greg@kroah.com
Greg KH
parent
89067448b9
commit
8481f8ce2b
8
Makefile
8
Makefile
|
|
@ -227,6 +227,14 @@ ifeq ($(USE_DBUS), true)
|
|||
OBJS += udev_dbus.o
|
||||
endif
|
||||
|
||||
# if USE_SELINUX is enabled, then we do not strip or optimize
|
||||
ifeq ($(strip $(USE_SELINUX)),true)
|
||||
CFLAGS += -DUSE_SELINUX
|
||||
OBJS += udev_selinux.o
|
||||
LIB_OBJS += -lselinux
|
||||
endif
|
||||
|
||||
|
||||
# header files automatically generated
|
||||
GEN_HEADERS = udev_version.h
|
||||
|
||||
|
|
|
|||
6
README
6
README
|
|
@ -49,6 +49,11 @@ To use:
|
|||
creates or removes a device node. This requires that DBUS
|
||||
development headers and libraries be present on your system to
|
||||
build properly. Default value is 'false'.
|
||||
USE_SELINUX
|
||||
if set to 'true', SELinux support for udev will be built in.
|
||||
This requires that SELinux development headers and libraries be
|
||||
present on your system to build properly. Default value is
|
||||
'false'.
|
||||
DEBUG
|
||||
if set to 'true', debugging messages will be sent to the syslog
|
||||
as udev is run. Default value is 'false'.
|
||||
|
|
@ -97,3 +102,4 @@ greg@kroah.com
|
|||
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@
|
|||
#include "udev.h"
|
||||
#include "udev_version.h"
|
||||
#include "udev_dbus.h"
|
||||
#include "udev_selinux.h"
|
||||
#include "logging.h"
|
||||
#include "namedev.h"
|
||||
#include "udevdb.h"
|
||||
|
|
@ -217,6 +218,9 @@ static int create_node(struct udevice *dev, int fake)
|
|||
}
|
||||
}
|
||||
|
||||
if (!fake)
|
||||
selinux_add_node(filename);
|
||||
|
||||
/* create symlink if requested */
|
||||
if (dev->symlink[0] != '\0') {
|
||||
symlinks = dev->symlink;
|
||||
|
|
|
|||
15
udev.spec
15
udev.spec
|
|
@ -16,6 +16,11 @@
|
|||
# 1 - DBUS support
|
||||
%define dbus 0
|
||||
|
||||
# if we want to build SELinux support in or not.
|
||||
# 0 - no SELinux support
|
||||
# 1 - SELinux support
|
||||
%define selinux 1
|
||||
|
||||
# if we want to enable debugging support in udev. If it is enabled, lots of
|
||||
# stuff will get sent to the debug syslog.
|
||||
# 0 - debugging disabled
|
||||
|
|
@ -67,6 +72,11 @@ make CC="gcc $RPM_OPT_FLAGS" \
|
|||
%else
|
||||
USE_DBUS=false \
|
||||
%endif
|
||||
%if %{selinux}
|
||||
USE_SELINUX=true \
|
||||
%else
|
||||
USE_SELINUX=false \
|
||||
%endif
|
||||
%if %{debug}
|
||||
DEBUG=true \
|
||||
%else
|
||||
|
|
@ -85,6 +95,11 @@ make DESTDIR=$RPM_BUILD_ROOT install \
|
|||
%else
|
||||
USE_DBUS=false \
|
||||
%endif
|
||||
%if %{selinux}
|
||||
USE_SELINUX=true \
|
||||
%else
|
||||
USE_SELINUX=false \
|
||||
%endif
|
||||
%if %{lsb}
|
||||
USE_LSB=true \
|
||||
%else
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
#include <fcntl.h>
|
||||
#include <unistd.h>
|
||||
#include <errno.h>
|
||||
#include <ctype.h>
|
||||
#include <selinux/selinux.h>
|
||||
|
||||
#include "udev.h"
|
||||
#include "udev_version.h"
|
||||
#include "udev_selinux.h"
|
||||
#include "logging.h"
|
||||
|
||||
|
||||
void selinux_add_node(char *filename)
|
||||
{
|
||||
int retval;
|
||||
|
||||
if (is_selinux_enabled() > 0) {
|
||||
security_context_t scontext;
|
||||
retval = matchpathcon(filename, 0, &scontext);
|
||||
if (retval < 0) {
|
||||
dbg("matchpathcon(%s) failed\n", filename);
|
||||
} else {
|
||||
retval=setfilecon(filename,scontext);
|
||||
if (retval < 0)
|
||||
dbg("setfiles %s failed with error '%s'",
|
||||
filename, strerror(errno));
|
||||
free(scontext);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
#ifndef UDEV_SELINUX_H
|
||||
#define UDEV_SELINUX_H
|
||||
|
||||
#ifdef USE_SELINUX
|
||||
extern void selinux_add_node(char *filename);
|
||||
#else
|
||||
static void selinux_add_node(char *filename) { }
|
||||
#endif
|
||||
|
||||
#endif
|
||||
Loading…
Reference in New Issue