diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index bc07654..2c2d0bb 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -144,6 +144,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { r = lstat(path, &st); if (r >= 0) { _cleanup_freecon_ char* fcon = NULL; + _cleanup_freecon_ char* curr_fcon = NULL; r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); @@ -152,6 +153,15 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { return 0; if (r >= 0) { + r = lgetfilecon(path, &curr_fcon); + if ((r >= 0) && (strcmp(curr_fcon, fcon) == 0)) { + /* File/directory already has the right context - no need to change + as this may trigger a failure due to insuficcient privileges. */ + return 0; + } else { + log_enforcing("Unable to retrieve existing SELinux context for %s - trying to set new one anyway", path); + } + r = lsetfilecon_raw(path, fcon); /* If the FS doesn't support labels, then exit without warning */ diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index 5d8ab0e..42adc2e 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -377,6 +377,12 @@ int mount_setup(bool loaded_policy) { nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + /* Temporarily remount the root cgroup filesystem to give it a proper label. */ + (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, "mode=755"); + label_fix("/sys/fs/cgroup", false, false); + nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT|FTW_PHYS|FTW_ACTIONRETVAL); + (void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME|MS_RDONLY, "mode=755"); + after_relabel = now(CLOCK_MONOTONIC); log_info("Relabelled /dev and /run in %s.",