Re: [PATCH] mdev - add SELinux support
On Mon, 20 Jan 2014 09:43:24 -0500
Daniel J Walsh dwa...@redhat.com wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote:
A better patch would be to use setfscreatecon(scontext) before the
mknod. And setfscreatecon(NULL) after.
Pseuod code
#if ENABLE_SELINUX
security_context_t scontext = NULL;
char *node_path = xasprintf(/dev/%s, node_name);
if (matchpathcon(node_path, rule-mode | type, scontext) ==
0) { setfscreatecon(scontext);
freecon(scontext);
#endif
if (mknod(node_name, rule-mode | type, makedev(major,
minor)) errno != EEXIST)
bb_perror_msg(can't create '%s', node_name);
#if ENABLE_SELINUX
setfscreatecon(NULL);
#endif
That way you eliminate a potential race condition where the node is
temporarily mislabeled.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1
uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu
=6kck
-END PGP SIGNATURE-
I don't mind doing it like this, in fact first version of this patch
looked almost exactly same.
My reasoning for doing it the other way is that some nodes (at least on
gentoo - console, tty, tty1, null, kmsg) are created before and labels
on those need to be fixed (one can of course edit his scripts and run
restorecon). Also it should work better this way with people using
devtmpfs to mount/automount /dev, even though they later use mdev.
Amadeusz
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] mdev - add SELinux support
Add support for relabeling files. Files created or modified by mdev
should now have correct SELinux labels.
It sets file creation context, however if it detects that file exists it
just restores context.
Signed-off-by: Amadeusz Sławiński am...@asmblr.net
---
util-linux/mdev.c | 37 +++--
1 file changed, 35 insertions(+), 2 deletions(-)
diff --git a/util-linux/mdev.c b/util-linux/mdev.c
index e80b58f..8ecc122 100644
--- a/util-linux/mdev.c
+++ b/util-linux/mdev.c
@@ -552,6 +552,9 @@ static void make_device(char *device_name, char *path, int
operation)
{
int major, minor, type, len;
char *path_end = path + strlen(path);
+#if ENABLE_SELINUX
+ int selinux_enabled = is_selinux_enabled();
+#endif
/* Try to read major/minor string. Note that the kernel puts \n after
* the data, so we don't need to worry about null terminating the string
@@ -741,6 +744,11 @@ static void make_device(char *device_name, char *path, int
operation)
if (operation == OP_add major = 0) {
char *slash = strrchr(node_name, '/');
+#if ENABLE_SELINUX
+ security_context_t scontext = NULL;
+ char *node_path;
+ int have_context = 0;
+#endif
if (slash) {
*slash = '\0';
mkdir_recursive(node_name);
@@ -757,8 +765,33 @@ static void make_device(char *device_name, char *path, int
operation)
node_name, major, minor, rule-mode |
type
);
}
- if (mknod(node_name, rule-mode | type, makedev(major,
minor)) errno != EEXIST)
- bb_perror_msg(can't create '%s', node_name);
+#if ENABLE_SELINUX
+ if (selinux_enabled) {
+ node_path = xasprintf(/dev/%s, node_name);
+ have_context = (matchpathcon(node_path,
rule-mode | type, scontext) == 0);
+ if (have_context)
+ setfscreatecon(scontext);
+ }
+#endif
+ if (mknod(node_name, rule-mode | type, makedev(major,
minor))) {
+ if (errno == EEXIST) {
+#if ENABLE_SELINUX
+ if (selinux_enabled have_context)
+ setfilecon(node_path, scontext);
+#endif
+ } else
+ bb_perror_msg(can't create '%s',
node_name);
+ }
+
+#if ENABLE_SELINUX
+ if (selinux_enabled) {
+ if (have_context)
+ freecon(scontext);
+ setfscreatecon(NULL);
+ free(node_path);
+ }
+#endif
+
if (ENABLE_FEATURE_MDEV_CONF) {
chmod(node_name, rule-mode);
chown(node_name, rule-ugid.uid,
rule-ugid.gid);
--
1.8.5.3
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[PATCH v2] add selinux support to mdev
I'm booting in enforcing mode and init initializes SELinux, later when mdev is started it needs to create files with correct permissions for system to work correctly. Following patch allows for easy booting of SELinux system with mdev as /dev manager. added in v2 - first try to create node with proper file context, if this doesn't work because node exists, then set context on existing node as it may be incorect due to devtmpfs mount or manual creation of nodes. Amadeusz ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] add selinux support to mdev
I'm booting in enforcing mode and init initializes SELinux, later when mdev is started it needs to create files with correct permissions for system to work correctly. Following patch allows for easy booting of SELinux system with mdev as /dev manager. Amadeusz ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] mdev - add SELinux support
Add support for relabeling files. Files created or modified by mdev
should now have correct SELinux labels.
---
util-linux/mdev.c | 13 +
1 file changed, 13 insertions(+)
diff --git a/util-linux/mdev.c b/util-linux/mdev.c
index e80b58f..c8ef48d 100644
--- a/util-linux/mdev.c
+++ b/util-linux/mdev.c
@@ -759,6 +759,19 @@ static void make_device(char *device_name, char *path, int
operation)
}
if (mknod(node_name, rule-mode | type, makedev(major,
minor)) errno != EEXIST)
bb_perror_msg(can't create '%s', node_name);
+
+#if ENABLE_SELINUX
+ /* relabel file, don't care if it existed before or was
just created */
+ if (is_selinux_enabled()) {
+ security_context_t scontext = NULL;
+ char *node_path = xasprintf(/dev/%s,
node_name);
+
+ if (matchpathcon(node_path, rule-mode | type,
scontext) == 0)
+ setfilecon(node_path, scontext);
+ freecon(scontext);
+ }
+#endif
+
if (ENABLE_FEATURE_MDEV_CONF) {
chmod(node_name, rule-mode);
chown(node_name, rule-ugid.uid,
rule-ugid.gid);
--
1.8.5.3
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
mdev - add selinux support
Hello,
Attached patch adds basic selinux support to mdev in what I think is
most efficient way. It relabels file not caring if it was just created
or existed before (for example devtmpfs mount).
Amadeusz Sławiński
diff -uNr a/util-linux/mdev.c b/util-linux/mdev.c
--- a/util-linux/mdev.c 2013-12-07 14:47:24.122978065 +0100
+++ b/util-linux/mdev.c 2013-12-07 14:47:51.875977453 +0100
@@ -776,6 +776,19 @@
}
if (mknod(node_name, rule-mode | type, makedev(major, minor)) errno != EEXIST)
bb_perror_msg(can't create '%s', node_name);
+
+#if ENABLE_SELINUX
+ /* relabel file, don't care if it existed before or was just created */
+ if (is_selinux_enabled()) {
+security_context_t scontext = NULL;
+char *node_path = xasprintf(/dev/%s, node_name);
+
+if (matchpathcon(node_path, rule-mode | type, scontext) == 0)
+ setfilecon(node_path, scontext);
+freecon(scontext);
+ }
+#endif
+
if (ENABLE_FEATURE_MDEV_CONF) {
chmod(node_name, rule-mode);
chown(node_name, rule-ugid.uid, rule-ugid.gid);
___
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
