selinux: log how much time it takes to load the SELinux policy and database

[elogind.git] / src / selinux-setup.c

diff --git a/src/selinux-setup.c b/src/selinux-setup.c
index d4da693ca473485def0923e7b365d3ba348712a1..f400f416da3872952f0495e5bf589f038921dcfb 100644 (file)
--- a/src/selinux-setup.c
+++ b/src/selinux-setup.c
@@ -37,13 +37,25 @@
 int selinux_setup(char *const argv[]) {
 #ifdef HAVE_SELINUX
        int enforce = 0;
+       usec_t n;
 
        /* Already initialized? */
-       if (path_is_mount_point("/selinux") > 0)
+       if (path_is_mount_point("/sys/fs/selinux") > 0 ||
+           path_is_mount_point("/selinux") > 0)
                return 0;
 
+       /* Before we load the policy we create a flag file to ensure
+        * that after the reexec we iterate through /run and /dev to
+        * relabel things. */
+       touch("/dev/.systemd-relabel-run-dev");
+
+       n = now(CLOCK_MONOTONIC);
        if (selinux_init_load_policy(&enforce) == 0) {
-               log_info("Successfully loaded SELinux policy, reexecuting.");
+               char buf[FORMAT_TIMESPAN_MAX];
+
+               n = now(CLOCK_MONOTONIC) - n;
+               log_info("Successfully loaded SELinux policy in %s, reexecuting.",
+                         format_timespan(buf, sizeof(buf), n));
 
                /* FIXME: Ideally we'd just call setcon() here instead
                 * of having to reexecute ourselves here. */
@@ -53,7 +65,9 @@ int selinux_setup(char *const argv[]) {
                return -errno;
 
        } else {
-               log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");
+               log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
+
+               unlink("/dev/.systemd-relabel-run-dev");
 
                if (enforce > 0)
                        return -EIO;