shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-03-21 02:50:18 +03:00
Code

selinux: delay mac_selinux_enforcing call after SELinux was determined to be enabled

Browse Source 
Calling `mac_selinux_enforcing()`, which calls `security_getenforce()`, on a SELinux disabled system causes the following error message to be printed:
    Failed to get SELinux enforced status: No such file or directory

Fixes: 257188f80ce1a083e3a88b679b898a73fecab53b ("selinux: cache enforced status and treat retrieve failure as enforced mode")
Supersedes: #15145
This commit is contained in:
Christian Göttsche 2020-03-17 18:11:14 +01:00 committed by Zbigniew Jędrzejewski-Szmek
parent cc46b9d913
commit 194fe32296
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/core/selinux-access.c
View File

@ -185,7 +185,7 @@ int mac_selinux_generic_access_check(
_cleanup_free_ char *cl = NULL;
_cleanup_freecon_ char *fcon = NULL;
char **cmdline = NULL;
const bool enforce = mac_selinux_enforcing();
bool enforce;
int r = 0;
assert(message);
@ -196,6 +196,9 @@ int mac_selinux_generic_access_check(
if (r <= 0)
return r;
/* delay call until we checked in `access_init()` if SELinux is actually enabled */
enforce = mac_selinux_enforcing();
r = sd_bus_query_sender_creds(
message,
SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|