Set the SELinux security label on new directories.
Automatically set the SELinux security label on directories created
by init.rc. This avoids the need to separately call restorecon on
each such directory from the init.rc file. Also restorecon /dev
and /dev/socket after initial policy load so that they are labeled
correctly before any other dev nodes or sockets are created.
Change-Id: If6af6c4887cdead949737cebdd673957e9273ead
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/init/builtins.c b/init/builtins.c
index 661c9b1..a05ca45 100644
--- a/init/builtins.c
+++ b/init/builtins.c
@@ -300,7 +300,7 @@
mode = strtoul(args[2], 0, 8);
}
- ret = mkdir(args[1], mode);
+ ret = make_dir(args[1], mode);
/* chmod in case the directory already exists */
if (ret == -1 && errno == EEXIST) {
ret = _chmod(args[1], mode);
@@ -735,26 +735,12 @@
}
int do_restorecon(int nargs, char **args) {
-#ifdef HAVE_SELINUX
- char *secontext = NULL;
- struct stat sb;
int i;
- if (is_selinux_enabled() <= 0 || !sehandle)
- return 0;
-
for (i = 1; i < nargs; i++) {
- if (lstat(args[i], &sb) < 0)
+ if (restorecon(args[i]) < 0)
return -errno;
- if (selabel_lookup(sehandle, &secontext, args[i], sb.st_mode) < 0)
- return -errno;
- if (lsetfilecon(args[i], secontext) < 0) {
- freecon(secontext);
- return -errno;
- }
- freecon(secontext);
}
-#endif
return 0;
}