X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fselinux-setup.c;h=9a5d6b2a9ddd655d3329c8d1a07f9e8e22740530;hb=761a7c71b649b5e926c28c703a11fbdc22dd6df1;hp=52df7a7221f98c54256589ff45feedf87c63bc2e;hpb=2f6f1bc30c528ca7346b4c93f08b65682aa2876f;p=elogind.git diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c index 52df7a722..9a5d6b2a9 100644 --- a/src/core/selinux-setup.c +++ b/src/core/selinux-setup.c @@ -30,11 +30,12 @@ #endif #include "selinux-setup.h" +#include "selinux-util.h" +#include "label.h" #include "mount-setup.h" #include "macro.h" #include "util.h" #include "log.h" -#include "label.h" #ifdef HAVE_SELINUX static int null_log(int type, const char *fmt, ...) { @@ -57,8 +58,12 @@ int selinux_setup(bool *loaded_policy) { cb.func_log = null_log; selinux_set_callback(SELINUX_CB_LOG, cb); - /* Make sure getcon() works, which needs /proc and /sys */ - mount_setup_early(); + /* Don't load policy in the initrd if we don't appear to have + * it. For the real root, we check below if we've already + * loaded policy, and return gracefully. + */ + if (in_initrd() && access(selinux_path(), F_OK) < 0) + return 0; /* Already initialized by somebody else? */ r = getcon_raw(&con); @@ -83,7 +88,7 @@ int selinux_setup(bool *loaded_policy) { char timespan[FORMAT_TIMESPAN_MAX]; char *label; - label_retest_selinux(); + retest_selinux(); /* Transition to the new context */ r = label_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label); @@ -103,7 +108,7 @@ int selinux_setup(bool *loaded_policy) { after_load = now(CLOCK_MONOTONIC); log_info("Successfully loaded SELinux policy in %s.", - format_timespan(timespan, sizeof(timespan), after_load - before_load)); + format_timespan(timespan, sizeof(timespan), after_load - before_load, 0)); *loaded_policy = true;