selinux: relabel /dev after loading policy

author: Lennart Poettering <lennart@poettering.net> 2010-11-07 22:59:39 -0500
committer: Lennart Poettering <lennart@poettering.net> 2010-11-10 22:38:43 +0100
commit: 1829dc9dc5f38cd1aaa43912de56c3bb5d8b5617 (patch)
tree: e5c339ed6e00522b82d336d4498c5322e3621823 /src/selinux-setup.c
parent: 31a7034d38fd7550699e6fbd002bbe42d9ea3b7e (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/src/selinux-setup.c b/src/selinux-setup.c
index d4da693ca4..b2beb33d1f 100644
--- a/src/selinux-setup.c
+++ b/src/selinux-setup.c
@@ -42,8 +42,14 @@ int selinux_setup(char *const argv[]) {
        if (path_is_mount_point("/selinux") > 0)
                return 0;
 
+       /* Before we load the policy we create a flag file to ensure
+        * that after the reexec we iterate through /dev to relabel
+        * things. */
+       mkdir_p("/dev/.systemd", 0755);
+       touch("/dev/.systemd/relabel-devtmpfs");
+
        if (selinux_init_load_policy(&enforce) == 0) {
-               log_info("Successfully loaded SELinux policy, reexecuting.");
+               log_debug("Successfully loaded SELinux policy, reexecuting.");
 
                /* FIXME: Ideally we'd just call setcon() here instead
                 * of having to reexecute ourselves here. */
@@ -55,6 +61,8 @@ int selinux_setup(char *const argv[]) {
        } else {
                log_full(enforce > 0 ? LOG_ERR : LOG_DEBUG, "Failed to load SELinux policy.");
 
+               unlink("/dev/.systemd/relabel-devtmpfs");
+
                if (enforce > 0)
                        return -EIO;
        }
author	Lennart Poettering <lennart@poettering.net>	2010-11-07 22:59:39 -0500
committer	Lennart Poettering <lennart@poettering.net>	2010-11-10 22:38:43 +0100
commit	1829dc9dc5f38cd1aaa43912de56c3bb5d8b5617 (patch)
tree	e5c339ed6e00522b82d336d4498c5322e3621823 /src/selinux-setup.c
parent	31a7034d38fd7550699e6fbd002bbe42d9ea3b7e (diff)