selinux: relabel /dev after loading policy

2024-12-28 06:35:34 +07:00 · 2010-11-07 22:59:39 -05:00 · 2010-11-07 22:59:39 -05:00 · 1829dc9dc5
commit 1829dc9dc5
parent 31a7034d38
2 changed files with 27 additions and 1 deletions
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@ -27,6 +27,7 @@
 #include <libgen.h>
 #include <assert.h>
 #include <unistd.h>
+#include <ftw.h>

 #include "mount-setup.h"
 #include "log.h"
@ -189,6 +190,16 @@ static int symlink_and_label(const char *old_path, const char *new_path) {
        return r;
 }

+static int nftw_cb(
+                const char *fpath,
+                const struct stat *sb,
+                int tflag,
+                struct FTW *ftwbuf) {
+
+        label_fix(fpath);
+        return 0;
+};
+
 int mount_setup(void) {

        const char *symlinks =
@ -207,6 +218,13 @@ int mount_setup(void) {
                if ((r = mount_one(mount_table+i)) < 0)
                        return r;

+        /* Nodes in devtmpfs need to be manually updated for the
+         * appropriate labels, after mounting. The other virtual API
+         * file systems do not need. */
+
+        if (unlink("/dev/.systemd/relabel-devtmpfs") >= 0)
+                nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+
        /* Create a few default symlinks, which are normally created
         * bei udevd, but some scripts might need them before we start
         * udevd. */
--- a/src/selinux-setup.c
+++ b/src/selinux-setup.c
@ -42,8 +42,14 @@ int selinux_setup(char *const argv[]) {
       if (path_is_mount_point("/selinux") > 0)
               return 0;

+       /* Before we load the policy we create a flag file to ensure
+        * that after the reexec we iterate through /dev to relabel
+        * things. */
+       mkdir_p("/dev/.systemd", 0755);
+       touch("/dev/.systemd/relabel-devtmpfs");
+
       if (selinux_init_load_policy(&enforce) == 0) {
-               log_info("Successfully loaded SELinux policy, reexecuting.");
+               log_debug("Successfully loaded SELinux policy, reexecuting.");

               /* FIXME: Ideally we'd just call setcon() here instead
                * of having to reexecute ourselves here. */
@ -55,6 +61,8 @@ int selinux_setup(char *const argv[]) {
       } else {
               log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");

+               unlink("/dev/.systemd/relabel-devtmpfs");
+
               if (enforce > 0)
                       return -EIO;
       }