Merge pull request #30904 from YHNdnzj/no-selinux-reload

core/execute: don't reload selinux before spawning executor

src/core/execute.c

@@ -382,10 +382,6 @@ int exec_spawn(Unit *unit,
         if (r < 0)
                 return log_unit_error_errno(unit, r, "Failed to load environment files: %m");
 
-        /* Fork with up-to-date SELinux label database, so the child inherits the up-to-date db
-           and, until the next SELinux policy changes, we save further reloads in future children. */
-        mac_selinux_maybe_reload();
-
         /* We won't know the real executable path until we create the mount namespace in the child, but we
            want to log from the parent, so we use the possibly inaccurate path here. */
         log_command_line(unit, "About to execute", command->path, command->argv);

src/shared/selinux-util.c

@@ -39,8 +39,6 @@ typedef enum Initialized {
         LAZY_INITIALIZED,
 } Initialized;
 
-static int mac_selinux_reload(int seqno);
-
 static int cached_use = -1;
 static Initialized initialized = UNINITIALIZED;
 static int last_policyload = 0;
@@ -214,6 +212,16 @@ int mac_selinux_init_lazy(void) {
         return 0;
 }
 
+#if HAVE_SELINUX
+static int mac_selinux_reload(int seqno) {
+        log_debug("SELinux reload %d", seqno);
+
+        (void) open_label_db();
+
+        return 0;
+}
+#endif
+
 void mac_selinux_maybe_reload(void) {
 #if HAVE_SELINUX
         int policyload;
@@ -256,16 +264,6 @@ void mac_selinux_finish(void) {
 #endif
 }
 
-#if HAVE_SELINUX
-static int mac_selinux_reload(int seqno) {
-        log_debug("SELinux reload %d", seqno);
-
-        (void) open_label_db();
-
-        return 0;
-}
-#endif
-
 #if HAVE_SELINUX
 static int selinux_fix_fd(
                 int fd,