diff options
author | Daniel Golle <daniel@makrotopia.org> | 2022-05-03 01:12:04 +0100 |
---|---|---|
committer | Daniel Golle <daniel@makrotopia.org> | 2022-05-03 02:05:16 +0100 |
commit | 652e6df06f8413f19a4786a275862cfe76628093 (patch) | |
tree | ad08a03580fde31c24593db92f5ceba6e047889e | |
parent | eb03f03105a857a0b7310e4c93bff46aa29f3a40 (diff) | |
download | procd-652e6df06f8413f19a4786a275862cfe76628093.tar.gz |
init: restore SELinux labels after policy is loaded
Introduce an additional SELinux init step to calling restorecon to
label the filesystem. This fixes SELinux on initramfs or systems
with ext4 or ubifs read-write root filesystem.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
-rw-r--r-- | initd/init.c | 27 |
1 files changed, 19 insertions, 8 deletions
diff --git a/initd/init.c b/initd/init.c index 2eb6ead..29e441d 100644 --- a/initd/init.c +++ b/initd/init.c @@ -31,6 +31,8 @@ #if defined(WITH_SELINUX) #include <selinux/selinux.h> +#include <selinux/restorecon.h> +#include <selinux/avc.h> #endif #include "../utils/utils.h" @@ -75,16 +77,25 @@ cmdline(void) static int selinux(char **argv) { - int enforce = 0; int ret; + int enforce = selinux_status_getenforce(); + + if (getenv("SELINUX_INIT")) { + /* SELinux already initialized */ + if (getenv("SELINUX_RESTORECON")) { + unsetenv("SELINUX_INIT"); + unsetenv("SELINUX_RESTORECON"); + return 0; + } + /* Second call: restore filesystem labels */ + ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE); + putenv("SELINUX_RESTORECON=1"); + } else { + /* First call: load policy */ + ret = selinux_init_load_policy(&enforce); + putenv("SELINUX_INIT=1"); + } - /* SELinux already initialized */ - if (getenv("SELINUX_INIT")) - return 0; - - putenv("SELINUX_INIT=1"); - - ret = selinux_init_load_policy(&enforce); if (ret == 0) execv(argv[0], argv); |