int selinux_setup(char *const argv[]) {
#ifdef HAVE_SELINUX
int enforce = 0;
+ usec_t n;
/* Already initialized? */
- if (path_is_mount_point("/selinux") > 0)
+ if (path_is_mount_point("/sys/fs/selinux") > 0 ||
+ path_is_mount_point("/selinux") > 0)
return 0;
+ /* Before we load the policy we create a flag file to ensure
+ * that after the reexec we iterate through /run and /dev to
+ * relabel things. */
+ touch("/dev/.systemd-relabel-run-dev");
+
+ n = now(CLOCK_MONOTONIC);
if (selinux_init_load_policy(&enforce) == 0) {
- log_info("Successfully loaded SELinux policy, reexecuting.");
+ char buf[FORMAT_TIMESPAN_MAX];
+
+ n = now(CLOCK_MONOTONIC) - n;
+ log_info("Successfully loaded SELinux policy in %s, reexecuting.",
+ format_timespan(buf, sizeof(buf), n));
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here. */
return -errno;
} else {
- log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");
+ log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
+
+ unlink("/dev/.systemd-relabel-run-dev");
if (enforce > 0)
return -EIO;