]>
git.ipfire.org Git - thirdparty/systemd.git/blob - src/core/selinux-setup.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 Copyright 2010 Lennart Poettering
11 #include <selinux/selinux.h>
16 #include "selinux-setup.h"
17 #include "selinux-util.h"
18 #include "string-util.h"
23 static int null_log(int type
, const char *fmt
, ...) {
28 int mac_selinux_setup(bool *loaded_policy
) {
32 usec_t before_load
, after_load
;
35 static const union selinux_callback cb
= {
39 bool initialized
= false;
41 assert(loaded_policy
);
43 /* Turn off all of SELinux' own logging, we want to do that */
44 selinux_set_callback(SELINUX_CB_LOG
, cb
);
46 /* Don't load policy in the initrd if we don't appear to have
47 * it. For the real root, we check below if we've already
48 * loaded policy, and return gracefully.
50 if (in_initrd() && access(selinux_path(), F_OK
) < 0)
53 /* Already initialized by somebody else? */
56 initialized
= !streq(con
, "kernel");
60 /* Make sure we have no fds open while loading the policy and
64 /* Now load the policy */
65 before_load
= now(CLOCK_MONOTONIC
);
66 r
= selinux_init_load_policy(&enforce
);
68 _cleanup_(mac_selinux_freep
) char *label
= NULL
;
69 char timespan
[FORMAT_TIMESPAN_MAX
];
73 /* Transition to the new context */
74 r
= mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH
, &label
);
75 if (r
< 0 || !label
) {
77 log_error("Failed to compute init label, ignoring.");
79 r
= setcon_raw(label
);
83 log_error("Failed to transition into init label '%s', ignoring.", label
);
86 after_load
= now(CLOCK_MONOTONIC
);
88 log_info("Successfully loaded SELinux policy in %s.",
89 format_timespan(timespan
, sizeof(timespan
), after_load
- before_load
, 0));
91 *loaded_policy
= true;
98 log_emergency("Failed to load SELinux policy.");
102 log_warning("Failed to load new SELinux policy. Continuing with old policy.");
104 log_debug("Unable to load SELinux policy. Ignoring.");