packaging
/
ostree
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sepolicy: Cache the value of is_selinux_enabled() to work around bug 

This fixes a regression from:
https://github.com/ostreedev/ostree/pull/797
which is really due to an underlying bug in libselinux which
we're working around:
http://marc.info/?l=selinux&m=149323809332417&w=2

We drop the per-policy instance variable, since the SELinux state
is *really* per-kernel.

Closes: https://github.com/ostreedev/ostree/issues/814

Closes: #815
Approved by: jlebon
This commit is contained in:
Colin Walters 2017-04-26 16:54:52 -04:00 committed by Atomic Bot
parent ceb8851806
commit 90b24a8d43
1 changed files with 23 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/libostree/ostree-sepolicy.c
View File

@ -47,8 +47,6 @@ struct OstreeSePolicy {
int rootfs_dfd_owned; int rootfs_dfd_owned;
GFile *path; GFile *path;
gboolean runtime_enabled;
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
GFile *selinux_policy_root; GFile *selinux_policy_root;
struct selabel_handle *selinux_hnd; struct selabel_handle *selinux_hnd;
@ -267,6 +265,23 @@ get_policy_checksum (char **out_csum,
#endif #endif
/* Workaround for http://marc.info/?l=selinux&m=149323809332417&w=2 */
#ifdef HAVE_SELINUX
static gboolean
cached_is_selinux_enabled (void)
{
static gsize initialized;
static gboolean cached_enabled;
if (g_once_init_enter (&initialized))
{
cached_enabled = is_selinux_enabled () == 1;
g_once_init_leave (&initialized, 1);
}
return cached_enabled;
}
#endif
static gboolean static gboolean
initable_init (GInitable *initable, initable_init (GInitable *initable,
GCancellable *cancellable, GCancellable *cancellable,
@ -279,6 +294,11 @@ initable_init (GInitable *initable,
const char *selinux_prefix = "SELINUX="; const char *selinux_prefix = "SELINUX=";
const char *selinuxtype_prefix = "SELINUXTYPE="; const char *selinuxtype_prefix = "SELINUXTYPE=";
/* First thing here, call is_selinux_enabled() to prime the cache. See the
* link above for more information why.
*/
(void) cached_is_selinux_enabled ();
/* TODO - use this below */ /* TODO - use this below */
g_autoptr(GFile) path = NULL; g_autoptr(GFile) path = NULL;
if (self->rootfs_dfd != -1) if (self->rootfs_dfd != -1)
@ -345,7 +365,6 @@ initable_init (GInitable *initable,
if (enabled) if (enabled)
{ {
self->runtime_enabled = is_selinux_enabled () == 1;
const char *policy_rootpath = gs_file_get_path_cached (policy_root); const char *policy_rootpath = gs_file_get_path_cached (policy_root);
g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE); g_setenv ("LIBSELINUX_DISABLE_PCRE_PRECOMPILED", "1", FALSE);
@ -613,7 +632,7 @@ ostree_sepolicy_setfscreatecon (OstreeSePolicy *self,
* request. To correctly handle the case of disabled host but * request. To correctly handle the case of disabled host but
* enabled target will require nontrivial work. * enabled target will require nontrivial work.
*/ */
if (!self->runtime_enabled) if (!cached_is_selinux_enabled ())
return TRUE; return TRUE;
if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error)) if (!ostree_sepolicy_get_label (self, path, mode, &label, NULL, error))