From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Wed, 23 Apr 2025 15:26:11 +0000 (+0200)
Subject: selinux: Disable selinux logging in mac_init() as well
X-Git-Tag: v258-rc1~741
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d04f6fe446d5d64e1961a6d7d2abd7cf88adcb36;p=thirdparty%2Fsystemd.git

selinux: Disable selinux logging in mac_init() as well

We currently only disable selinux logging in mac_selinux_setup(),
but not in mac_init(). We don't want libraries we use to log unless
we tell them to, so disable selinux's logging in mac_init() as well.
---

diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index f687cfcd536..6a08782ae8c 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -19,21 +19,13 @@
 #include "string-util.h"
 #include "time-util.h"
 
-#if HAVE_SELINUX
-_printf_(2,3)
-static int null_log(int type, const char *fmt, ...) {
-        return 0;
-}
-#endif
-
 int mac_selinux_setup(bool *loaded_policy) {
         assert(loaded_policy);
 
 #if HAVE_SELINUX
         int r;
 
-        /* Turn off all of SELinux' own logging, we want to do that ourselves */
-        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log });
+        mac_selinux_disable_logging();
 
         /* Don't load policy in the initrd if we don't appear to have it.  For the real root, we check below
          * if we've already loaded policy, and return gracefully. */
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 243413bdf78..bf97dcf53e9 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -167,6 +167,8 @@ static int selinux_init(bool force) {
         if (!force && initialized != LAZY_INITIALIZED)
                 return 1;
 
+        mac_selinux_disable_logging();
+
         r = selinux_status_open(/* netlink fallback= */ 1);
         if (r < 0) {
                 if (!ERRNO_IS_PRIVILEGE(errno))
@@ -263,6 +265,20 @@ void mac_selinux_finish(void) {
 #endif
 }
 
+#if HAVE_SELINUX
+_printf_(2,3)
+static int selinux_log_glue(int type, const char *fmt, ...) {
+        return 0;
+}
+#endif
+
+void mac_selinux_disable_logging(void) {
+#if HAVE_SELINUX
+        /* Turn off all of SELinux' own logging, we want to do that ourselves */
+        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = selinux_log_glue });
+#endif
+}
+
 #if HAVE_SELINUX
 static int selinux_fix_fd(
                 int fd,
diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index d47b9a235ac..3ca6232b349 100644
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -32,6 +32,8 @@ int mac_selinux_init_lazy(void);
 void mac_selinux_maybe_reload(void);
 void mac_selinux_finish(void);
 
+void mac_selinux_disable_logging(void);
+
 int mac_selinux_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
 
 int mac_selinux_apply(const char *path, const char *label);