chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
label: generalize label_get_socket_label_from_exe() a bit
[elogind.git]
/
src
/
selinux-setup.c
diff --git
a/src/selinux-setup.c
b/src/selinux-setup.c
index 8bd9380775a608f935954a347999b958e736286e..793cb03459216f23e62b90fa9554e9b671d44bf7 100644
(file)
--- a/
src/selinux-setup.c
+++ b/
src/selinux-setup.c
@@
-37,19
+37,32
@@
int selinux_setup(char *const argv[]) {
#ifdef HAVE_SELINUX
int enforce = 0;
int selinux_setup(char *const argv[]) {
#ifdef HAVE_SELINUX
int enforce = 0;
+ usec_t n;
+ security_context_t con;
/* Already initialized? */
/* Already initialized? */
- if (path_is_mount_point("/selinux") > 0)
- return 0;
+ if (getcon_raw(&con) == 0) {
+ bool initialized;
+
+ initialized = !streq(con, "kernel");
+ freecon(con);
+
+ if (initialized)
+ return 0;
+ }
/* Before we load the policy we create a flag file to ensure
/* Before we load the policy we create a flag file to ensure
- * that after the reexec we iterate through /dev to relabel
- * things. */
- mkdir_p("/dev/.systemd", 0755);
- touch("/dev/.systemd/relabel-devtmpfs");
+ * that after the reexec we iterate through /run and /dev to
+ * relabel things. */
+ touch("/dev/.systemd-relabel-run-dev");
+ n = now(CLOCK_MONOTONIC);
if (selinux_init_load_policy(&enforce) == 0) {
if (selinux_init_load_policy(&enforce) == 0) {
- log_debug("Successfully loaded SELinux policy, reexecuting.");
+ char buf[FORMAT_TIMESPAN_MAX];
+
+ n = now(CLOCK_MONOTONIC) - n;
+ log_info("Successfully loaded SELinux policy in %s, reexecuting.",
+ format_timespan(buf, sizeof(buf), n));
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here. */
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here. */
@@
-59,12
+72,12
@@
int selinux_setup(char *const argv[]) {
return -errno;
} else {
return -errno;
} else {
- log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
-
- unlink("/dev/.systemd/relabel-devtmpfs");
+ unlink("/dev/.systemd-relabel-run-dev");
- if (enforce > 0)
+ if (enforce > 0) {
+ log_full(LOG_ERR, "Failed to load SELinux policy.");
return -EIO;
return -EIO;
+ }
}
#endif
}
#endif