selinux: fix SEGV during switch-root if SELinux policy loaded

If you've got SELinux policy loaded, label_hnd is your labeling handle. When systemd is shutting down, we free that handle via mac_selinux_finish(). But: switch_root() calls mkdir_p_label(), which tries to look up a label using that freed handle, and so we get a bunch of garbage and eventually SEGV in libselinux. (This doesn't happen in the switch-root from initramfs to real root because there's no SELinux policy loaded in initramfs, so label_hnd is NULL and we never attempt any lookups.) So: make sure that mac_selinux_finish() actually sets label_hnd to NULL, so nobody tries to use it after it becomes invalid. https://bugzilla.redhat.com/show_bug.cgi?id=1185604 Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
author: Will Woods <wwoods@redhat.com> 2015-03-13 17:24:46 -0400
committer: Anthony G. Basile <blueness@gentoo.org> 2015-03-18 21:15:17 -0400
commit: 59b6fb3b75063fbefa9f0f6132e0f3c5093517a9 (patch)
tree: 34dbaa8417a6d38bd1310e648cccfe4d59e533c8
parent: c45230b3b0874ba256274116ca1cb7e1fd0f04c3 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 4d6808abaa..756215e8ef 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -115,6 +115,7 @@ void mac_selinux_finish(void) {
                 return;
 
         selabel_close(label_hnd);
+        label_hnd = NULL;
 #endif
 }
author	Will Woods <wwoods@redhat.com>	2015-03-13 17:24:46 -0400
committer	Anthony G. Basile <blueness@gentoo.org>	2015-03-18 21:15:17 -0400
commit	59b6fb3b75063fbefa9f0f6132e0f3c5093517a9 (patch)
tree	34dbaa8417a6d38bd1310e648cccfe4d59e533c8
parent	c45230b3b0874ba256274116ca1cb7e1fd0f04c3 (diff)