selinux: fork label-aware children with up-to-date label database

The parent process may not perform any label operation, so the
database might not get updated on a SELinux policy change on its own.

Reload the label database once on a policy change, instead of n times
in every started child.

diff --git a/src/core/execute.c b/src/core/execute.c
index d5107288a179a74d68fa35b8f9eb0f897f66566c..666bdc4bc140c3925c67a45647df809cf859f492 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4105,6 +4105,10 @@ int exec_spawn(Unit *unit,
         if (!line)
                 return log_oom();
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         log_struct(LOG_DEBUG,
                    LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
                    "EXECUTABLE=%s", command->path,

diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 8c7c7046e71e5a1e1d589e5722161937ccd673b9..b2052578eb5bb892859311251b337d734420a851 100644 (file)
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -656,6 +656,10 @@ static void event_run(Manager *manager, struct event *event) {
         /* Re-enable the debug message for the next batch of events */
         log_children_max_reached = true;
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         /* start new worker and pass initial device */
         worker_spawn(manager, event);
 }