systemd/0001-selinux-fall-back-to-the-netlink-based-API.patch
2020-11-12 12:56:08 +01:00

66 lines
2.8 KiB
Diff

From bef6d96b5aa48ce4b90633c847158f0ae27c7a10 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Tue, 27 Oct 2020 19:47:26 +0100
Subject: [PATCH] selinux: fall back to the netlink-based API
Fedora Rawhide still has the old policy, so selinux prevents our selinux code
from checking if selinux is enabled. But it seems smart to fall back to the old
API anyway.
Follow-up for fd5e402fa9377f2860e02bdb5b84d5f5942e73f4.
---
src/basic/selinux-util.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index 1791aeecde..c239634e48 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -133,6 +133,7 @@ static int open_label_db(void) {
int mac_selinux_init(void) {
#if HAVE_SELINUX
int r;
+ bool have_status_page = false;
if (initialized)
return 0;
@@ -140,9 +141,15 @@ int mac_selinux_init(void) {
if (!mac_selinux_use())
return 0;
- r = selinux_status_open(/* no netlink fallback */ 0);
- if (r < 0)
- return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+ r = selinux_status_open(/* netlink fallback */ 1);
+ if (r < 0) {
+ if (!ERRNO_IS_PRIVILEGE(errno))
+ return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
+ log_warning_errno(errno, "selinux_status_open() failed, using the netlink fallback: %m");
+ } else if (r == 1)
+ log_warning("selinux_status_open() failed to open the status page, using the netlink fallback.");
+ else
+ have_status_page = true;
r = open_label_db();
if (r < 0) {
@@ -150,13 +157,14 @@ int mac_selinux_init(void) {
return r;
}
- /* save the current policyload sequence number, so `mac_selinux_maybe_reload()` does
- not trigger on first call without any actual change */
+ /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
+ * first call without any actual change. */
last_policyload = selinux_status_policyload();
- /* now that the SELinux status page has been successfully opened,
- retrieve the enforcing status over it (to avoid system calls in `security_getenforce()`) */
- enforcing_status_func = selinux_status_getenforce;
+ if (have_status_page)
+ /* Now that the SELinux status page has been successfully opened, retrieve the enforcing
+ * status over it (to avoid system calls in security_getenforce()). */
+ enforcing_status_func = selinux_status_getenforce;
initialized = true;
#endif