From: Christian Göttsche <cgzones@googlemail.com>
Date: Sat, 22 Aug 2020 18:42:22 +0000 (+0200)
Subject: selinux: fork label-aware children with up-to-date label database
X-Git-Tag: v247-rc1~305^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2df2152c206bd2fa8e8d086feeb0555f5b7152c9;p=thirdparty%2Fsystemd.git

selinux: fork label-aware children with up-to-date label database

The parent process may not perform any label operation, so the
database might not get updated on a SELinux policy change on its own.

Reload the label database once on a policy change, instead of n times
in every started child.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index d5107288a17..666bdc4bc14 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4105,6 +4105,10 @@ int exec_spawn(Unit *unit,
         if (!line)
                 return log_oom();
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         log_struct(LOG_DEBUG,
                    LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
                    "EXECUTABLE=%s", command->path,
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 8c7c7046e71..b2052578eb5 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -656,6 +656,10 @@ static void event_run(Manager *manager, struct event *event) {
         /* Re-enable the debug message for the next batch of events */
         log_children_max_reached = true;
 
+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
         /* start new worker and pass initial device */
         worker_spawn(manager, event);
 }