66 lines
2.8 KiB
Diff
66 lines
2.8 KiB
Diff
From bef6d96b5aa48ce4b90633c847158f0ae27c7a10 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
Date: Tue, 27 Oct 2020 19:47:26 +0100
|
|
Subject: [PATCH] selinux: fall back to the netlink-based API
|
|
|
|
Fedora Rawhide still has the old policy, so selinux prevents our selinux code
|
|
from checking if selinux is enabled. But it seems smart to fall back to the old
|
|
API anyway.
|
|
|
|
Follow-up for fd5e402fa9377f2860e02bdb5b84d5f5942e73f4.
|
|
---
|
|
src/basic/selinux-util.c | 24 ++++++++++++++++--------
|
|
1 file changed, 16 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
|
|
index 1791aeecde..c239634e48 100644
|
|
--- a/src/basic/selinux-util.c
|
|
+++ b/src/basic/selinux-util.c
|
|
@@ -133,6 +133,7 @@ static int open_label_db(void) {
|
|
int mac_selinux_init(void) {
|
|
#if HAVE_SELINUX
|
|
int r;
|
|
+ bool have_status_page = false;
|
|
|
|
if (initialized)
|
|
return 0;
|
|
@@ -140,9 +141,15 @@ int mac_selinux_init(void) {
|
|
if (!mac_selinux_use())
|
|
return 0;
|
|
|
|
- r = selinux_status_open(/* no netlink fallback */ 0);
|
|
- if (r < 0)
|
|
- return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
|
|
+ r = selinux_status_open(/* netlink fallback */ 1);
|
|
+ if (r < 0) {
|
|
+ if (!ERRNO_IS_PRIVILEGE(errno))
|
|
+ return log_enforcing_errno(errno, "Failed to open SELinux status page: %m");
|
|
+ log_warning_errno(errno, "selinux_status_open() failed, using the netlink fallback: %m");
|
|
+ } else if (r == 1)
|
|
+ log_warning("selinux_status_open() failed to open the status page, using the netlink fallback.");
|
|
+ else
|
|
+ have_status_page = true;
|
|
|
|
r = open_label_db();
|
|
if (r < 0) {
|
|
@@ -150,13 +157,14 @@ int mac_selinux_init(void) {
|
|
return r;
|
|
}
|
|
|
|
- /* save the current policyload sequence number, so `mac_selinux_maybe_reload()` does
|
|
- not trigger on first call without any actual change */
|
|
+ /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
|
|
+ * first call without any actual change. */
|
|
last_policyload = selinux_status_policyload();
|
|
|
|
- /* now that the SELinux status page has been successfully opened,
|
|
- retrieve the enforcing status over it (to avoid system calls in `security_getenforce()`) */
|
|
- enforcing_status_func = selinux_status_getenforce;
|
|
+ if (have_status_page)
|
|
+ /* Now that the SELinux status page has been successfully opened, retrieve the enforcing
|
|
+ * status over it (to avoid system calls in security_getenforce()). */
|
|
+ enforcing_status_func = selinux_status_getenforce;
|
|
|
|
initialized = true;
|
|
#endif
|