Revert "selinux: cache enforced status and treat retrieve failure as enforced mode"

This reverts commit 257188f80ce1a083e3a88b679b898a73fecab53b.

diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index 80bd65b1558d1a9376b50005c8a122a687c04978..c94ee26bd900af070e7b13bcd99a4c0577c1eab5 100644 (file)
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -35,14 +35,14 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
 static int mac_selinux_reload(int seqno);
 
 static int cached_use = -1;
-static int cached_enforcing = -1;
 static struct selabel_handle *label_hnd = NULL;
 
-#define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
+#define log_enforcing(...)                                              \
+        log_full(security_getenforce() != 0 ? LOG_ERR : LOG_WARNING, __VA_ARGS__)
 
 #define log_enforcing_errno(error, ...)                                 \
         ({                                                              \
-                bool _enforcing = mac_selinux_enforcing();              \
+                bool _enforcing = security_getenforce() != 0;           \
                 int _level = _enforcing ? LOG_ERR : LOG_WARNING;        \
                 int _e = (error);                                       \
                                                                         \
@@ -66,41 +66,12 @@ bool mac_selinux_use(void) {
 #endif
 }
 
-bool mac_selinux_enforcing(void) {
-#if HAVE_SELINUX
-        if (_unlikely_(cached_enforcing < 0)) {
-                cached_enforcing = security_getenforce();
-                if (cached_enforcing < 0) {
-                        log_debug_errno(errno, "Failed to get SELinux enforced status, continuing in enforcing mode: %m");
-                        return true; /* treat failure as enforcing mode */
-                }
-
-                log_debug("SELinux enforcing state cached to: %s", cached_enforcing ? "enforcing" : "permissive");
-        }
-
-        return cached_enforcing > 0;
-#else
-        return false;
-#endif
-}
-
 void mac_selinux_retest(void) {
 #if HAVE_SELINUX
         cached_use = -1;
-        cached_enforcing = -1;
 #endif
 }
 
-#if HAVE_SELINUX
-static int setenforce_callback(int enforcing) {
-        cached_enforcing = enforcing;
-
-        log_debug("SELinux enforcing state updated to: %s", cached_enforcing ? "enforcing" : "permissive");
-
-        return 0;
-}
-#endif
-
 int mac_selinux_init(void) {
 #if HAVE_SELINUX
         usec_t before_timestamp, after_timestamp;
@@ -109,7 +80,6 @@ int mac_selinux_init(void) {
         int l;
 
         selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload);
-        selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback);
 
         if (label_hnd)
                 return 0;

diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index 736082cab04ddfa2b30f51ffac15134c187236b2..d053b00b5c9980c37cf5ee5241d71f3b47a6a0fa 100644 (file)
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -16,7 +16,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon);
 #endif
 
 bool mac_selinux_use(void);
-bool mac_selinux_enforcing(void);
 void mac_selinux_retest(void);
 
 int mac_selinux_init(void);

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index abfab14dab0eb457bedaa469b62f2e249855a6ce..1d52b5ff0497ba606ab84220453ab3862d93eef7 100644 (file)
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -144,8 +144,9 @@ static int access_init(sd_bus_error *error) {
 
         if (avc_open(NULL, 0) != 0) {
                 int saved_errno = errno;
-                const bool enforce = mac_selinux_enforcing();
+                bool enforce;
 
+                enforce = security_getenforce() != 0;
                 log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
 
                 /* If enforcement isn't on, then let's suppress this
@@ -197,7 +198,7 @@ int mac_selinux_generic_access_check(
                 return r;
 
         /* delay call until we checked in `access_init()` if SELinux is actually enabled */
-        enforce = mac_selinux_enforcing();
+        enforce = security_getenforce() != 0;
 
         r = sd_bus_query_sender_creds(
                         message,