naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
6136c1
From c67be1c7d69a0662ab85720aa0209110c39479f9 Mon Sep 17 00:00:00 2001
6136c1
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
6136c1
Date: Wed, 27 Nov 2019 19:43:47 +0100
6136c1
Subject: [PATCH] core: reload SELinux label cache on daemon-reload
6136c1
6136c1
Reloading the SELinux label cache here enables a light-wight follow-up of a SELinux policy change, e.g. adding a label for a RuntimeDirectory.
6136c1
6136c1
Closes: #13363
6136c1
(cherry picked from commit a9dfac21ec850eb5dcaf1ae9ef729389e4c12802)
6136c1
6136c1
Resolves: #1888912
6136c1
---
6136c1
 src/basic/selinux-util.c | 20 ++++++++++++++++++++
6136c1
 src/basic/selinux-util.h |  1 +
6136c1
 src/core/main.c          |  2 ++
6136c1
 3 files changed, 23 insertions(+)
6136c1
6136c1
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
6136c1
index e15bd7e1fa..f69d88eb1e 100644
6136c1
--- a/src/basic/selinux-util.c
6136c1
+++ b/src/basic/selinux-util.c
6136c1
@@ -105,6 +105,26 @@ void mac_selinux_finish(void) {
6136c1
 #endif
6136c1
 }
6136c1
 
6136c1
+void mac_selinux_reload(void) {
6136c1
+
6136c1
+#if HAVE_SELINUX
6136c1
+        struct selabel_handle *backup_label_hnd;
6136c1
+
6136c1
+        if (!label_hnd)
6136c1
+                return;
6136c1
+
6136c1
+        backup_label_hnd = TAKE_PTR(label_hnd);
6136c1
+
6136c1
+        /* try to initialize new handle
6136c1
+         *    on success close backup
6136c1
+         *    on failure restore backup */
6136c1
+        if (mac_selinux_init() == 0)
6136c1
+                selabel_close(backup_label_hnd);
6136c1
+        else
6136c1
+                label_hnd = backup_label_hnd;
6136c1
+#endif
6136c1
+}
6136c1
+
6136c1
 int mac_selinux_fix(const char *path, LabelFixFlags flags) {
6136c1
 
6136c1
 #if HAVE_SELINUX
6136c1
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
6136c1
index 08314057fb..abcfabe777 100644
6136c1
--- a/src/basic/selinux-util.h
6136c1
+++ b/src/basic/selinux-util.h
6136c1
@@ -13,6 +13,7 @@ void mac_selinux_retest(void);
6136c1
 
6136c1
 int mac_selinux_init(void);
6136c1
 void mac_selinux_finish(void);
6136c1
+void mac_selinux_reload(void);
6136c1
 
6136c1
 int mac_selinux_fix(const char *path, LabelFixFlags flags);
6136c1
 int mac_selinux_apply(const char *path, const char *label);
6136c1
diff --git a/src/core/main.c b/src/core/main.c
6136c1
index d897155644..d5c41da0c4 100644
6136c1
--- a/src/core/main.c
6136c1
+++ b/src/core/main.c
6136c1
@@ -1682,6 +1682,8 @@ static int invoke_main_loop(
6136c1
                         saved_log_level = m->log_level_overridden ? log_get_max_level() : -1;
6136c1
                         saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID;
6136c1
 
6136c1
+                        mac_selinux_reload();
6136c1
+
6136c1
                         (void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock);
6136c1
 
6136c1
                         set_manager_defaults(m);