selinux: Disable selinux logging in mac_init() as well

We currently only disable selinux logging in mac_selinux_setup(),
but not in mac_init(). We don't want libraries we use to log unless
we tell them to, so disable selinux's logging in mac_init() as well.

diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index f687cfcd53677d0f53e2f1172b381463ae52cac5..6a08782ae8cb40a751c52d4ef901339bb103ff0f 100644 (file)
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -19,21 +19,13 @@
 #include "string-util.h"
 #include "time-util.h"
 
-#if HAVE_SELINUX
-_printf_(2,3)
-static int null_log(int type, const char *fmt, ...) {
-        return 0;
-}
-#endif
-
 int mac_selinux_setup(bool *loaded_policy) {
         assert(loaded_policy);
 
 #if HAVE_SELINUX
         int r;
 
-        /* Turn off all of SELinux' own logging, we want to do that ourselves */
-        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log });
+        mac_selinux_disable_logging();
 
         /* Don't load policy in the initrd if we don't appear to have it.  For the real root, we check below
          * if we've already loaded policy, and return gracefully. */

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 243413bdf786d9645b9c2ea6d35b997494a78f37..bf97dcf53e9278b02b2573057e0e0b974e69d18a 100644 (file)
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -167,6 +167,8 @@ static int selinux_init(bool force) {
         if (!force && initialized != LAZY_INITIALIZED)
                 return 1;
 
+        mac_selinux_disable_logging();
+
         r = selinux_status_open(/* netlink fallback= */ 1);
         if (r < 0) {
                 if (!ERRNO_IS_PRIVILEGE(errno))
@@ -263,6 +265,20 @@ void mac_selinux_finish(void) {
 #endif
 }
 
+#if HAVE_SELINUX
+_printf_(2,3)
+static int selinux_log_glue(int type, const char *fmt, ...) {
+        return 0;
+}
+#endif
+
+void mac_selinux_disable_logging(void) {
+#if HAVE_SELINUX
+        /* Turn off all of SELinux' own logging, we want to do that ourselves */
+        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = selinux_log_glue });
+#endif
+}
+
 #if HAVE_SELINUX
 static int selinux_fix_fd(
                 int fd,

diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index d47b9a235ac864ed5fa2b4c01fb0a6e8925e1092..3ca6232b349609169c22e84bfa3220e8b1dea48a 100644 (file)
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -32,6 +32,8 @@ int mac_selinux_init_lazy(void);
 void mac_selinux_maybe_reload(void);
 void mac_selinux_finish(void);
 
+void mac_selinux_disable_logging(void);
+
 int mac_selinux_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
 
 int mac_selinux_apply(const char *path, const char *label);