chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
selinux: relabel /dev after loading policy
[elogind.git]
/
src
/
selinux-setup.c
diff --git
a/src/selinux-setup.c
b/src/selinux-setup.c
index d4da693ca473485def0923e7b365d3ba348712a1..b2beb33d1f34d379aac37a8c37a699e77bbc46c9 100644
(file)
--- a/
src/selinux-setup.c
+++ b/
src/selinux-setup.c
@@
-42,8
+42,14
@@
int selinux_setup(char *const argv[]) {
if (path_is_mount_point("/selinux") > 0)
return 0;
if (path_is_mount_point("/selinux") > 0)
return 0;
+ /* Before we load the policy we create a flag file to ensure
+ * that after the reexec we iterate through /dev to relabel
+ * things. */
+ mkdir_p("/dev/.systemd", 0755);
+ touch("/dev/.systemd/relabel-devtmpfs");
+
if (selinux_init_load_policy(&enforce) == 0) {
if (selinux_init_load_policy(&enforce) == 0) {
- log_
info
("Successfully loaded SELinux policy, reexecuting.");
+ log_
debug
("Successfully loaded SELinux policy, reexecuting.");
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here. */
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here. */
@@
-55,6
+61,8
@@
int selinux_setup(char *const argv[]) {
} else {
log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");
} else {
log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");
+ unlink("/dev/.systemd/relabel-devtmpfs");
+
if (enforce > 0)
return -EIO;
}
if (enforce > 0)
return -EIO;
}
~ianmdlvl / elogind.git / blobdiff