summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2011-04-04 16:56:51 +0200
committerLennart Poettering <lennart@poettering.net>2011-04-04 16:58:23 +0200
commit3bbecb2f2cd758e2513993efad01180c7c3c665f (patch)
tree06f076c37810747023d7f878b4efe2b8dc84445a
parent9d8677dad260d7dc20146f8affe3d376daff7c19 (diff)
selinux: relabel /run the same way as /dev after loading the policy since they both come pre-filled and unlabelled
-rw-r--r--src/mount-setup.c4
-rw-r--r--src/selinux-setup.c8
2 files changed, 7 insertions, 5 deletions
diff --git a/src/mount-setup.c b/src/mount-setup.c
index 49eab0bfa7..a42ed43957 100644
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -243,8 +243,10 @@ int mount_setup(void) {
* appropriate labels, after mounting. The other virtual API
* file systems do not need. */
- if (unlink("/dev/.systemd-relabel-devtmpfs") >= 0)
+ if (unlink("/dev/.systemd-relabel-run-dev") >= 0) {
nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+ nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+ }
/* Create a few default symlinks, which are normally created
* bei udevd, but some scripts might need them before we start
diff --git a/src/selinux-setup.c b/src/selinux-setup.c
index e21ff6bb9f..c32c7ad8db 100644
--- a/src/selinux-setup.c
+++ b/src/selinux-setup.c
@@ -43,9 +43,9 @@ int selinux_setup(char *const argv[]) {
return 0;
/* Before we load the policy we create a flag file to ensure
- * that after the reexec we iterate through /dev to relabel
- * things. */
- touch("/dev/.systemd-relabel-devtmpfs");
+ * that after the reexec we iterate through /run and /dev to
+ * relabel things. */
+ touch("/dev/.systemd-relabel-run-dev");
if (selinux_init_load_policy(&enforce) == 0) {
log_debug("Successfully loaded SELinux policy, reexecuting.");
@@ -60,7 +60,7 @@ int selinux_setup(char *const argv[]) {
} else {
log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
- unlink("/dev/.systemd-relabel-devtmpfs");
+ unlink("/dev/.systemd-relabel-run-dev");
if (enforce > 0)
return -EIO;