selinux: fix loading policy at early boot

First, check for the cached enabled/disabled, as that's what all the
label functions used to do. Then, if initialization is not done yet,
do not cause the label functions to bail out, as it's expected to
happen at early boot.

Among other things, fixes:

systemd[1]: Failed to compute init label, ignoring.

Follow-up for: 0617da2edb91669a

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index fb7da12fb6bf4d2826c6c479e28fc06072dc8272..cdad5e1ab0fa2c9af572be03781ac12a8c986e01 100644 (file)
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -158,16 +158,17 @@ static int selinux_init(bool force) {
         };
         int r;
 
+        if (!mac_selinux_use())
+                return 0;
+
         if (initialized == INITIALIZED)
                 return 1;
 
         /* Internal call from this module? Unless we were explicitly configured to allow lazy initialization
-         * bail out immediately. */
+         * bail out immediately. Pretend all is good, we do not want callers to abort here, for example at
+         * early boot when the policy is being initialised. */
         if (!force && initialized != LAZY_INITIALIZED)
-                return 0;
-
-        if (!mac_selinux_use())
-                return 0;
+                return 1;
 
         r = selinux_status_open(/* netlink fallback */ 1);
         if (r < 0) {