| From c67be1c7d69a0662ab85720aa0209110c39479f9 Mon Sep 17 00:00:00 2001 |
| From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com> |
| Date: Wed, 27 Nov 2019 19:43:47 +0100 |
| Subject: [PATCH] core: reload SELinux label cache on daemon-reload |
| |
| Reloading the SELinux label cache here enables a light-wight follow-up of a SELinux policy change, e.g. adding a label for a RuntimeDirectory. |
| |
| Closes: #13363 |
| (cherry picked from commit a9dfac21ec850eb5dcaf1ae9ef729389e4c12802) |
| |
| Resolves: #1888912 |
| |
| src/basic/selinux-util.c | 20 ++++++++++++++++++++ |
| src/basic/selinux-util.h | 1 + |
| src/core/main.c | 2 ++ |
| 3 files changed, 23 insertions(+) |
| |
| diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c |
| index e15bd7e1fa..f69d88eb1e 100644 |
| |
| |
| @@ -105,6 +105,26 @@ void mac_selinux_finish(void) { |
| #endif |
| } |
| |
| +void mac_selinux_reload(void) { |
| + |
| +#if HAVE_SELINUX |
| + struct selabel_handle *backup_label_hnd; |
| + |
| + if (!label_hnd) |
| + return; |
| + |
| + backup_label_hnd = TAKE_PTR(label_hnd); |
| + |
| + /* try to initialize new handle |
| + * on success close backup |
| + * on failure restore backup */ |
| + if (mac_selinux_init() == 0) |
| + selabel_close(backup_label_hnd); |
| + else |
| + label_hnd = backup_label_hnd; |
| +#endif |
| +} |
| + |
| int mac_selinux_fix(const char *path, LabelFixFlags flags) { |
| |
| #if HAVE_SELINUX |
| diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h |
| index 08314057fb..abcfabe777 100644 |
| |
| |
| @@ -13,6 +13,7 @@ void mac_selinux_retest(void); |
| |
| int mac_selinux_init(void); |
| void mac_selinux_finish(void); |
| +void mac_selinux_reload(void); |
| |
| int mac_selinux_fix(const char *path, LabelFixFlags flags); |
| int mac_selinux_apply(const char *path, const char *label); |
| diff --git a/src/core/main.c b/src/core/main.c |
| index d897155644..d5c41da0c4 100644 |
| |
| |
| @@ -1682,6 +1682,8 @@ static int invoke_main_loop( |
| saved_log_level = m->log_level_overridden ? log_get_max_level() : -1; |
| saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID; |
| |
| + mac_selinux_reload(); |
| + |
| (void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock); |
| |
| set_manager_defaults(m); |