From: Christian Göttsche <cgzones@googlemail.com>
Date: Tue, 17 Mar 2020 17:11:14 +0000 (+0100)
Subject: selinux: delay mac_selinux_enforcing call after SELinux was determined to be enabled
X-Git-Tag: v246-rc1~729
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=194fe32296b5079cf4edcffbe15f672ff8a9e762;p=thirdparty%2Fsystemd.git

selinux: delay mac_selinux_enforcing call after SELinux was determined to be enabled

Calling `mac_selinux_enforcing()`, which calls `security_getenforce()`, on a SELinux disabled system causes the following error message to be printed:
    Failed to get SELinux enforced status: No such file or directory

Fixes: 257188f80ce1a083e3a88b679b898a73fecab53b ("selinux: cache enforced status and treat retrieve failure as enforced mode")
Supersedes: #15145
---

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 008a8ba9b6a..e40898d10bc 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -185,7 +185,7 @@ int mac_selinux_generic_access_check(
         _cleanup_free_ char *cl = NULL;
         _cleanup_freecon_ char *fcon = NULL;
         char **cmdline = NULL;
-        const bool enforce = mac_selinux_enforcing();
+        bool enforce;
         int r = 0;
 
         assert(message);
@@ -196,6 +196,9 @@ int mac_selinux_generic_access_check(
         if (r <= 0)
                 return r;
 
+        /* delay call until we checked in `access_init()` if SELinux is actually enabled */
+        enforce = mac_selinux_enforcing();
+
         r = sd_bus_query_sender_creds(
                         message,
                         SD_BUS_CREDS_PID|SD_BUS_CREDS_EUID|SD_BUS_CREDS_EGID|