main: load Smack policy before IMA policy (#3859)

IMA wiki says: "If the IMA policy contains LSM labels, then the LSM
policy must be loaded prior to the IMA policy." Right now, in case of
Smack, the IMA policy is loaded before the Smack policy. Move the order
around to allow Smack labels to be used in IMA policy.

diff --git a/src/core/main.c b/src/core/main.c
index 74b8ea139fe1bed9d8652f25123942d8815e306b..c46d8866534c462ae5131bb66eff2b662eb5f613 100644 (file)
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -1414,12 +1414,12 @@ int main(int argc, char *argv[]) {
                         if (mac_selinux_setup(&loaded_policy) < 0) {
                                 error_message = "Failed to load SELinux policy";
                                 goto finish;
-                        } else if (ima_setup() < 0) {
-                                error_message = "Failed to load IMA policy";
-                                goto finish;
                         } else if (mac_smack_setup(&loaded_policy) < 0) {
                                 error_message = "Failed to load SMACK policy";
                                 goto finish;
+                        } else if (ima_setup() < 0) {
+                                error_message = "Failed to load IMA policy";
+                                goto finish;
                         }
                         dual_timestamp_get(&security_finish_timestamp);
                 }