Merge pull request #19551 from cgzones/fix_reload

selinux: reload label db on policy load with libselinux 3.2
2025-02-04 17:47:03 +03:00 · 2021-05-20 21:37:59 +02:00 · 2021-05-20 21:37:59 +02:00 · 9d54c9a3d9
commit 9d54c9a3d9
parent f9e60ff9ad 57e70396df
3 changed files with 19 additions and 24 deletions
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@ -182,28 +182,27 @@ int mac_selinux_init(void) {

 void mac_selinux_maybe_reload(void) {
 #if HAVE_SELINUX
-        int r;
+        int policyload;

        if (!initialized)
                return;

-        r = selinux_status_updated();
-        if (r < 0)
-                log_debug_errno(errno, "Failed to update SELinux from status page: %m");
-        if (r > 0) {
-                int policyload;
+        /* Do not use selinux_status_updated(3), cause since libselinux 3.2 selinux_check_access(3),
+         * called in core and user instances, does also use it under the hood.
+         * That can cause changes to be consumed by selinux_check_access(3) and not being visible here.
+         * Also do not use selinux callbacks, selinux_set_callback(3), cause they are only automatically
+         * invoked since libselinux 3.2 by selinux_status_updated(3).
+         * Relevant libselinux commit: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
+         * Debian Bullseye is going to ship libselinux 3.1, so stay compatible for backports. */
+        policyload = selinux_status_policyload();
+        if (policyload < 0) {
+                log_debug_errno(errno, "Failed to get SELinux policyload from status page: %m");
+                return;
+        }

-                log_debug("SELinux status page update");
-
-                /* from libselinux > 3.1 callbacks gets automatically called, see
-                   https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503 */
-
-                /* only reload on policy changes, not enforcing status changes */
-                policyload = selinux_status_policyload();
-                if (policyload != last_policyload) {
-                        mac_selinux_reload(policyload);
-                        last_policyload = policyload;
-                }
+        if (policyload != last_policyload) {
+                mac_selinux_reload(policyload);
+                last_policyload = policyload;
        }
 #endif
 }
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@ -162,8 +162,8 @@ static int access_init(sd_bus_error *error) {
                return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror_safe(saved_errno));
        }

-        selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
-        selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
+        selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) { .func_audit = audit_callback });
+        selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = log_callback });

        initialized = true;
        return 1;
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@ -30,16 +30,12 @@ int mac_selinux_setup(bool *loaded_policy) {
        usec_t before_load, after_load;
        char *con;
        int r;
-        static const union selinux_callback cb = {
-                .func_log = null_log,
-        };
-
        bool initialized = false;

        assert(loaded_policy);

        /* Turn off all of SELinux' own logging, we want to do that */
-        selinux_set_callback(SELINUX_CB_LOG, cb);
+        selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = null_log });

        /* Don't load policy in the initrd if we don't appear to have
         * it.  For the real root, we check below if we've already