Merge pull request #15237 from cgzones/improve

SELinux cache updates
2024-10-27 18:55:40 +03:00 · 2020-03-28 09:38:16 +01:00 · 2020-03-28 09:38:16 +01:00 · 2df0df56dd
commit 2df0df56dd
parent 3c04ed633b 1b7d1cae0f
2 changed files with 13 additions and 8 deletions
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@ -44,8 +44,10 @@ static struct selabel_handle *label_hnd = NULL;

 bool mac_selinux_use(void) {
 #if HAVE_SELINUX
-        if (cached_use < 0)
+        if (_unlikely_(cached_use < 0)) {
                cached_use = is_selinux_enabled() > 0;
+                log_debug("SELinux enabled state cached to: %s", cached_use ? "enabled" : "disabled");
+        }

        return cached_use;
 #else
@ -55,14 +57,15 @@ bool mac_selinux_use(void) {

 bool mac_selinux_enforcing(void) {
 #if HAVE_SELINUX
-        if (cached_enforcing < 0) {
+        if (_unlikely_(cached_enforcing < 0)) {
                cached_enforcing = security_getenforce();
-                if (cached_enforcing == -1) {
-                        log_error_errno(errno, "Failed to get SELinux enforced status: %m");
-                }
+                if (cached_enforcing == -1)
+                        log_error_errno(errno, "Failed to get SELinux enforced status, continue in enforcing mode: %m");
+                else
+                        log_debug("SELinux enforcing state cached to: %s", cached_enforcing ? "enforcing" : "permissive");
        }

-        /* treat failure as enforced mode */
+        /* treat failure as enforcing mode */
        return (cached_enforcing != 0);
 #else
        return false;
@ -80,6 +83,8 @@ void mac_selinux_retest(void) {
 static int setenforce_callback(int enforcing) {
        cached_enforcing = enforcing;

+        log_debug("SELinux enforcing state updated to: %s", cached_enforcing ? "enforcing" : "permissive");
+
        return 0;
 }
 #endif
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@ -272,8 +272,8 @@ int mac_selinux_generic_access_check(
                        sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
        }

-        log_debug_errno(r, "SELinux access check scon=%s tcon=%s tclass=%s perm=%s path=%s cmdline=%s: %m",
-                        scon, fcon, tclass, permission, path, cl);
+        log_debug_errno(r, "SELinux access check scon=%s tcon=%s tclass=%s perm=%s state=%s path=%s cmdline=%s: %m",
+                        scon, fcon, tclass, permission, enforce ? "enforcing" : "permissive", path, cl);
        return enforce ? r : 0;
 }