[PATCH] Add initial SELinux support for udev

Based on a patch from Daniel J Walsh <dwalsh@redhat.com>

6 files changed, 77 insertions, 0 deletions

diff --git a/Makefile b/Makefile
index d58569f581..b24e147838 100644
--- a/Makefile
+++ b/Makefile
@@ -227,6 +227,14 @@ ifeq ($(USE_DBUS), true)
 	OBJS += udev_dbus.o
 endif
 
+# if USE_SELINUX is enabled, then we do not strip or optimize
+ifeq ($(strip $(USE_SELINUX)),true)
+	CFLAGS  += -DUSE_SELINUX
+	OBJS += udev_selinux.o
+	LIB_OBJS += -lselinux
+endif
+
+
 # header files automatically generated
 GEN_HEADERS =	udev_version.h
 
diff --git a/README b/README
index c63912101a..75d642c942 100644
--- a/README
+++ b/README
@@ -49,6 +49,11 @@ To use:
 		creates or removes a device node.  This requires that DBUS
 		development headers and libraries be present on your system to
 		build properly.  Default value is 'false'.
+	USE_SELINUX
+		if set to 'true', SELinux support for udev will be built in.
+		This requires that SELinux development headers and libraries be
+		present on your system to build properly.  Default value is
+		'false'.
 	DEBUG
 		if set to 'true', debugging messages will be sent to the syslog
 		as udev is run.  Default value is 'false'.
@@ -97,3 +102,4 @@ greg@kroah.com
 
 
 
+
diff --git a/udev-add.c b/udev-add.c
index 0d3131300f..2f64b4375a 100644
--- a/udev-add.c
+++ b/udev-add.c
@@ -38,6 +38,7 @@
 #include "udev.h"
 #include "udev_version.h"
 #include "udev_dbus.h"
+#include "udev_selinux.h"
 #include "logging.h"
 #include "namedev.h"
 #include "udevdb.h"
@@ -217,6 +218,9 @@ static int create_node(struct udevice *dev, int fake)
 		}
 	}
 
+	if (!fake)
+		selinux_add_node(filename);
+
 	/* create symlink if requested */
 	if (dev->symlink[0] != '\0') {
 		symlinks = dev->symlink;
diff --git a/udev.spec b/udev.spec
index 63d1835a4a..4cd1f8a94b 100644
--- a/udev.spec
+++ b/udev.spec
@@ -16,6 +16,11 @@
 # 1 - DBUS support
 %define dbus 0
 
+# if we want to build SELinux support in or not.
+# 0 - no SELinux support
+# 1 - SELinux support
+%define selinux 1 
+
 # if we want to enable debugging support in udev.  If it is enabled, lots of 
 # stuff will get sent to the debug syslog.
 # 0 - debugging disabled
@@ -67,6 +72,11 @@ make CC="gcc $RPM_OPT_FLAGS"	\
 %else
 	USE_DBUS=false		\
 %endif
+%if %{selinux}
+	USE_SELINUX=true	\
+%else
+	USE_SELINUX=false	\
+%endif
 %if %{debug}
 	DEBUG=true		\
 %else
@@ -85,6 +95,11 @@ make DESTDIR=$RPM_BUILD_ROOT install \
 %else
 	USE_DBUS=false		\
 %endif
+%if %{selinux}
+	USE_SELINUX=true	\
+%else
+	USE_SELINUX=false	\
+%endif
 %if %{lsb}
 	USE_LSB=true		\
 %else
diff --git a/udev_selinux.c b/udev_selinux.c
new file mode 100644
index 0000000000..3728fd0b50
--- /dev/null
+++ b/udev_selinux.c
@@ -0,0 +1,34 @@
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <errno.h>
+#include <ctype.h>
+#include <selinux/selinux.h>
+
+#include "udev.h"
+#include "udev_version.h"
+#include "udev_selinux.h"
+#include "logging.h"
+
+
+void selinux_add_node(char *filename)
+{
+	int retval;
+
+	if (is_selinux_enabled() > 0) {
+		security_context_t scontext;
+		retval = matchpathcon(filename, 0, &scontext);
+		if (retval < 0) {
+			dbg("matchpathcon(%s) failed\n", filename);
+		} else {
+			retval=setfilecon(filename,scontext);
+			if (retval < 0)
+				dbg("setfiles %s failed with error '%s'",
+				    filename, strerror(errno));
+			free(scontext);
+		}
+	}
+}
+
diff --git a/udev_selinux.h b/udev_selinux.h
new file mode 100644
index 0000000000..77a1f36bd9
--- /dev/null
+++ b/udev_selinux.h
@@ -0,0 +1,10 @@
+#ifndef UDEV_SELINUX_H
+#define UDEV_SELINUX_H
+
+#ifdef USE_SELINUX
+extern void selinux_add_node(char *filename);
+#else
+static void selinux_add_node(char *filename) { }
+#endif
+
+#endif