From 3bbecb2f2cd758e2513993efad01180c7c3c665f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 4 Apr 2011 16:56:51 +0200 Subject: [PATCH] selinux: relabel /run the same way as /dev after loading the policy since they both come pre-filled and unlabelled --- src/mount-setup.c | 4 +++- src/selinux-setup.c | 8 ++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/src/mount-setup.c b/src/mount-setup.c index 49eab0bfa..a42ed4395 100644 --- a/src/mount-setup.c +++ b/src/mount-setup.c @@ -243,8 +243,10 @@ int mount_setup(void) { * appropriate labels, after mounting. The other virtual API * file systems do not need. */ - if (unlink("/dev/.systemd-relabel-devtmpfs") >= 0) + if (unlink("/dev/.systemd-relabel-run-dev") >= 0) { nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS); + nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS); + } /* Create a few default symlinks, which are normally created * bei udevd, but some scripts might need them before we start diff --git a/src/selinux-setup.c b/src/selinux-setup.c index e21ff6bb9..c32c7ad8d 100644 --- a/src/selinux-setup.c +++ b/src/selinux-setup.c @@ -43,9 +43,9 @@ int selinux_setup(char *const argv[]) { return 0; /* Before we load the policy we create a flag file to ensure - * that after the reexec we iterate through /dev to relabel - * things. */ - touch("/dev/.systemd-relabel-devtmpfs"); + * that after the reexec we iterate through /run and /dev to + * relabel things. */ + touch("/dev/.systemd-relabel-run-dev"); if (selinux_init_load_policy(&enforce) == 0) { log_debug("Successfully loaded SELinux policy, reexecuting."); @@ -60,7 +60,7 @@ int selinux_setup(char *const argv[]) { } else { log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy."); - unlink("/dev/.systemd-relabel-devtmpfs"); + unlink("/dev/.systemd-relabel-run-dev"); if (enforce > 0) return -EIO; -- 2.30.2