X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fselinux-setup.c;h=793cb03459216f23e62b90fa9554e9b671d44bf7;hb=189583d7e4e0a74e96df12f00013eef8543ac96f;hp=8bd9380775a608f935954a347999b958e736286e;hpb=2e60ecb2f760936552f9d6db32d6ecf828b3c322;p=elogind.git diff --git a/src/selinux-setup.c b/src/selinux-setup.c index 8bd938077..793cb0345 100644 --- a/src/selinux-setup.c +++ b/src/selinux-setup.c @@ -37,19 +37,32 @@ int selinux_setup(char *const argv[]) { #ifdef HAVE_SELINUX int enforce = 0; + usec_t n; + security_context_t con; /* Already initialized? */ - if (path_is_mount_point("/selinux") > 0) - return 0; + if (getcon_raw(&con) == 0) { + bool initialized; + + initialized = !streq(con, "kernel"); + freecon(con); + + if (initialized) + return 0; + } /* Before we load the policy we create a flag file to ensure - * that after the reexec we iterate through /dev to relabel - * things. */ - mkdir_p("/dev/.systemd", 0755); - touch("/dev/.systemd/relabel-devtmpfs"); + * that after the reexec we iterate through /run and /dev to + * relabel things. */ + touch("/dev/.systemd-relabel-run-dev"); + n = now(CLOCK_MONOTONIC); if (selinux_init_load_policy(&enforce) == 0) { - log_debug("Successfully loaded SELinux policy, reexecuting."); + char buf[FORMAT_TIMESPAN_MAX]; + + n = now(CLOCK_MONOTONIC) - n; + log_info("Successfully loaded SELinux policy in %s, reexecuting.", + format_timespan(buf, sizeof(buf), n)); /* FIXME: Ideally we'd just call setcon() here instead * of having to reexecute ourselves here. */ @@ -59,12 +72,12 @@ int selinux_setup(char *const argv[]) { return -errno; } else { - log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy."); - - unlink("/dev/.systemd/relabel-devtmpfs"); + unlink("/dev/.systemd-relabel-run-dev"); - if (enforce > 0) + if (enforce > 0) { + log_full(LOG_ERR, "Failed to load SELinux policy."); return -EIO; + } } #endif