Attachment #464016 for bug #528674

View | Details | Raw Unified | Return to bug 528674
Collapse All | Expand All




        r = lstat(path, &st);
        if (r >= 0) {
                _cleanup_freecon_ char* fcon = NULL;
                _cleanup_freecon_ char* curr_fcon = NULL;

                r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);


                        return 0;

                if (r >= 0) {
                        r = lgetfilecon(path, &curr_fcon);
                        if ((r >= 0) && (strcmp(curr_fcon, fcon) == 0)) {
                                /* File/directory already has the right context - no need to change
                                   as this may trigger a failure due to insuficcient privileges. */
                                return 0;
                        } else {
                                log_enforcing("Unable to retrieve existing SELinux context for %s - trying to set new one anyway", path);
                        }

                        r = lsetfilecon_raw(path, fcon);

                        /* If the FS doesn't support labels, then exit without warning */

Lines 377-382 int mount_setup(bool loaded_policy) { Link Here

(-)a/src/core/mount-setup.c (+6 lines)
377	nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);	377	nftw("/dev/shm", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
378	nftw("/run", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);	378	nftw("/run", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
379		379
		380	/* Temporarily remount the root cgroup filesystem to give it a proper label. */
		381	(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME, "mode=755");
		382	label_fix("/sys/fs/cgroup", false, false);
		383	nftw("/sys/fs/cgroup", nftw_cb, 64, FTW_MOUNT\|FTW_PHYS\|FTW_ACTIONRETVAL);
		384	(void) mount("tmpfs", "/sys/fs/cgroup", "tmpfs", MS_REMOUNT\|MS_NOSUID\|MS_NOEXEC\|MS_NODEV\|MS_STRICTATIME\|MS_RDONLY, "mode=755");
		385
380	after_relabel = now(CLOCK_MONOTONIC);	386	after_relabel = now(CLOCK_MONOTONIC);
381		387
382	log_info("Relabelled /dev and /run in %s.",	388	log_info("Relabelled /dev and /run in %s.",

Return to bug 528674

Lines 144-149 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { Link Here

(-)a/src/basic/selinux-util.c (+10 lines)
144	r = lstat(path, &st);	144	r = lstat(path, &st);
145	if (r >= 0) {	145	if (r >= 0) {
146	_cleanup_freecon_ char* fcon = NULL;	146	_cleanup_freecon_ char* fcon = NULL;
		147	_cleanup_freecon_ char* curr_fcon = NULL;
147		148
148	r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);	149	r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode);
149		150
Lines 152-157 int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { Link Here
152	return 0;	153	return 0;
153		154
154	if (r >= 0) {	155	if (r >= 0) {
		156	r = lgetfilecon(path, &curr_fcon);
		157	if ((r >= 0) && (strcmp(curr_fcon, fcon) == 0)) {
		158	/* File/directory already has the right context - no need to change
		159	as this may trigger a failure due to insuficcient privileges. */
		160	return 0;
		161	} else {
		162	log_enforcing("Unable to retrieve existing SELinux context for %s - trying to set new one anyway", path);
		163	}
		164
155	r = lsetfilecon_raw(path, fcon);	165	r = lsetfilecon_raw(path, fcon);
156		166
157	/* If the FS doesn't support labels, then exit without warning */	167	/* If the FS doesn't support labels, then exit without warning */