2010-10-27 07:47:02 +04:00
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
/***
This file is part of systemd .
Copyright 2010 Lennart Poettering
systemd is free software ; you can redistribute it and / or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
systemd is distributed in the hope that it will be useful , but
WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the GNU
General Public License for more details .
You should have received a copy of the GNU General Public License
along with systemd ; If not , see < http : //www.gnu.org/licenses/>.
* * */
# include <unistd.h>
# include <stdio.h>
# include <errno.h>
# include <string.h>
# include <stdlib.h>
# ifdef HAVE_SELINUX
# include <selinux/selinux.h>
# endif
# include "selinux-setup.h"
# include "macro.h"
# include "util.h"
# include "log.h"
int selinux_setup ( char * const argv [ ] ) {
# ifdef HAVE_SELINUX
int enforce = 0 ;
2011-07-25 23:22:57 +04:00
usec_t n ;
2011-07-25 23:59:05 +04:00
security_context_t con ;
2010-10-27 07:47:02 +04:00
/* Already initialized? */
2011-07-25 23:59:05 +04:00
if ( getcon_raw ( & con ) = = 0 ) {
bool initialized ;
initialized = ! streq ( con , " kernel " ) ;
freecon ( con ) ;
if ( initialized )
return 0 ;
}
2010-10-27 07:47:02 +04:00
2010-11-08 06:59:39 +03:00
/* Before we load the policy we create a flag file to ensure
2011-04-04 18:56:51 +04:00
* that after the reexec we iterate through / run and / dev to
* relabel things . */
touch ( " /dev/.systemd-relabel-run-dev " ) ;
2010-11-08 06:59:39 +03:00
2011-07-25 23:22:57 +04:00
n = now ( CLOCK_MONOTONIC ) ;
2010-10-27 07:47:02 +04:00
if ( selinux_init_load_policy ( & enforce ) = = 0 ) {
2011-07-25 23:22:57 +04:00
char buf [ FORMAT_TIMESPAN_MAX ] ;
n = now ( CLOCK_MONOTONIC ) - n ;
log_info ( " Successfully loaded SELinux policy in %s, reexecuting. " ,
format_timespan ( buf , sizeof ( buf ) , n ) ) ;
2010-10-27 07:47:02 +04:00
/* FIXME: Ideally we'd just call setcon() here instead
* of having to reexecute ourselves here . */
execv ( SYSTEMD_BINARY_PATH , argv ) ;
log_error ( " Failed to reexecute: %m " ) ;
return - errno ;
} else {
2011-03-09 22:12:30 +03:00
log_full ( enforce > 0 ? LOG_ERR : LOG_WARNING , " Failed to load SELinux policy. " ) ;
2010-10-27 07:47:02 +04:00
2011-04-04 18:56:51 +04:00
unlink ( " /dev/.systemd-relabel-run-dev " ) ;
2010-11-08 06:59:39 +03:00
2010-10-27 07:47:02 +04:00
if ( enforce > 0 )
return - EIO ;
}
# endif
return 0 ;
}