Re: [PATCH] mdev - add SELinux support
On Mon, 20 Jan 2014 09:43:24 -0500 Daniel J Walsh dwa...@redhat.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/19/2014 11:23 AM, Amadeusz Sławiński wrote: A better patch would be to use setfscreatecon(scontext) before the mknod. And setfscreatecon(NULL) after. Pseuod code #if ENABLE_SELINUX security_context_t scontext = NULL; char *node_path = xasprintf(/dev/%s, node_name); if (matchpathcon(node_path, rule-mode | type, scontext) == 0) { setfscreatecon(scontext); freecon(scontext); #endif if (mknod(node_name, rule-mode | type, makedev(major, minor)) errno != EEXIST) bb_perror_msg(can't create '%s', node_name); #if ENABLE_SELINUX setfscreatecon(NULL); #endif That way you eliminate a potential race condition where the node is temporarily mislabeled. -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlLdNgwACgkQrlYvE4MpobPnhwCgtYGSnzSfemSnTSZYEtIRaPi1 uRcAoIxEL5vwZJK+Qnic2BZeKsJpk2iu =6kck -END PGP SIGNATURE- I don't mind doing it like this, in fact first version of this patch looked almost exactly same. My reasoning for doing it the other way is that some nodes (at least on gentoo - console, tty, tty1, null, kmsg) are created before and labels on those need to be fixed (one can of course edit his scripts and run restorecon). Also it should work better this way with people using devtmpfs to mount/automount /dev, even though they later use mdev. Amadeusz ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] mdev - add SELinux support
Add support for relabeling files. Files created or modified by mdev should now have correct SELinux labels. It sets file creation context, however if it detects that file exists it just restores context. Signed-off-by: Amadeusz Sławiński am...@asmblr.net --- util-linux/mdev.c | 37 +++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/util-linux/mdev.c b/util-linux/mdev.c index e80b58f..8ecc122 100644 --- a/util-linux/mdev.c +++ b/util-linux/mdev.c @@ -552,6 +552,9 @@ static void make_device(char *device_name, char *path, int operation) { int major, minor, type, len; char *path_end = path + strlen(path); +#if ENABLE_SELINUX + int selinux_enabled = is_selinux_enabled(); +#endif /* Try to read major/minor string. Note that the kernel puts \n after * the data, so we don't need to worry about null terminating the string @@ -741,6 +744,11 @@ static void make_device(char *device_name, char *path, int operation) if (operation == OP_add major = 0) { char *slash = strrchr(node_name, '/'); +#if ENABLE_SELINUX + security_context_t scontext = NULL; + char *node_path; + int have_context = 0; +#endif if (slash) { *slash = '\0'; mkdir_recursive(node_name); @@ -757,8 +765,33 @@ static void make_device(char *device_name, char *path, int operation) node_name, major, minor, rule-mode | type ); } - if (mknod(node_name, rule-mode | type, makedev(major, minor)) errno != EEXIST) - bb_perror_msg(can't create '%s', node_name); +#if ENABLE_SELINUX + if (selinux_enabled) { + node_path = xasprintf(/dev/%s, node_name); + have_context = (matchpathcon(node_path, rule-mode | type, scontext) == 0); + if (have_context) + setfscreatecon(scontext); + } +#endif + if (mknod(node_name, rule-mode | type, makedev(major, minor))) { + if (errno == EEXIST) { +#if ENABLE_SELINUX + if (selinux_enabled have_context) + setfilecon(node_path, scontext); +#endif + } else + bb_perror_msg(can't create '%s', node_name); + } + +#if ENABLE_SELINUX + if (selinux_enabled) { + if (have_context) + freecon(scontext); + setfscreatecon(NULL); + free(node_path); + } +#endif + if (ENABLE_FEATURE_MDEV_CONF) { chmod(node_name, rule-mode); chown(node_name, rule-ugid.uid, rule-ugid.gid); -- 1.8.5.3 ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH v2] add selinux support to mdev
I'm booting in enforcing mode and init initializes SELinux, later when mdev is started it needs to create files with correct permissions for system to work correctly. Following patch allows for easy booting of SELinux system with mdev as /dev manager. added in v2 - first try to create node with proper file context, if this doesn't work because node exists, then set context on existing node as it may be incorect due to devtmpfs mount or manual creation of nodes. Amadeusz ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] add selinux support to mdev
I'm booting in enforcing mode and init initializes SELinux, later when mdev is started it needs to create files with correct permissions for system to work correctly. Following patch allows for easy booting of SELinux system with mdev as /dev manager. Amadeusz ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
[PATCH] mdev - add SELinux support
Add support for relabeling files. Files created or modified by mdev should now have correct SELinux labels. --- util-linux/mdev.c | 13 + 1 file changed, 13 insertions(+) diff --git a/util-linux/mdev.c b/util-linux/mdev.c index e80b58f..c8ef48d 100644 --- a/util-linux/mdev.c +++ b/util-linux/mdev.c @@ -759,6 +759,19 @@ static void make_device(char *device_name, char *path, int operation) } if (mknod(node_name, rule-mode | type, makedev(major, minor)) errno != EEXIST) bb_perror_msg(can't create '%s', node_name); + +#if ENABLE_SELINUX + /* relabel file, don't care if it existed before or was just created */ + if (is_selinux_enabled()) { + security_context_t scontext = NULL; + char *node_path = xasprintf(/dev/%s, node_name); + + if (matchpathcon(node_path, rule-mode | type, scontext) == 0) + setfilecon(node_path, scontext); + freecon(scontext); + } +#endif + if (ENABLE_FEATURE_MDEV_CONF) { chmod(node_name, rule-mode); chown(node_name, rule-ugid.uid, rule-ugid.gid); -- 1.8.5.3 ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
mdev - add selinux support
Hello, Attached patch adds basic selinux support to mdev in what I think is most efficient way. It relabels file not caring if it was just created or existed before (for example devtmpfs mount). Amadeusz Sławiński diff -uNr a/util-linux/mdev.c b/util-linux/mdev.c --- a/util-linux/mdev.c 2013-12-07 14:47:24.122978065 +0100 +++ b/util-linux/mdev.c 2013-12-07 14:47:51.875977453 +0100 @@ -776,6 +776,19 @@ } if (mknod(node_name, rule-mode | type, makedev(major, minor)) errno != EEXIST) bb_perror_msg(can't create '%s', node_name); + +#if ENABLE_SELINUX + /* relabel file, don't care if it existed before or was just created */ + if (is_selinux_enabled()) { +security_context_t scontext = NULL; +char *node_path = xasprintf(/dev/%s, node_name); + +if (matchpathcon(node_path, rule-mode | type, scontext) == 0) + setfilecon(node_path, scontext); +freecon(scontext); + } +#endif + if (ENABLE_FEATURE_MDEV_CONF) { chmod(node_name, rule-mode); chown(node_name, rule-ugid.uid, rule-ugid.gid); ___ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox