diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-10-23 18:34:58 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-10-23 21:36:56 +0200 |
commit | 5dfc54615a1eacea18106383c964425cebd67c30 (patch) | |
tree | 7f6b1cbf4190a08c7b74adc79db2ee3d309b40b8 /src/shared/selinux-util.c | |
parent | d1ce2089b4b2fb1f1d8faba9a0aa6d9f8fbb0638 (diff) |
smack: rework SMACK label fixing code to follow more closely the semantics of the matching selinux code
Diffstat (limited to 'src/shared/selinux-util.c')
-rw-r--r-- | src/shared/selinux-util.c | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index b1fdfab434..9707d0cefa 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -113,22 +113,25 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { #ifdef HAVE_SELINUX struct stat st; - security_context_t fcon; + assert(path); + + /* if mac_selinux_init() wasn't called before we are a NOOP */ if (!label_hnd) return 0; r = lstat(path, &st); - if (r == 0) { + if (r >= 0) { + _cleanup_security_context_free_ security_context_t fcon = NULL; + r = selabel_lookup_raw(label_hnd, &fcon, path, st.st_mode); /* If there's no label to set, then exit without warning */ if (r < 0 && errno == ENOENT) return 0; - if (r == 0) { + if (r >= 0) { r = lsetfilecon(path, fcon); - freecon(fcon); /* If the FS doesn't support labels, then exit without warning */ if (r < 0 && errno == ENOTSUP) @@ -144,8 +147,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { if (ignore_erofs && errno == EROFS) return 0; - log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, - "Unable to fix label of %s: %m", path); + log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path); r = security_getenforce() == 1 ? -errno : 0; } #endif @@ -156,11 +158,10 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) { void mac_selinux_finish(void) { #ifdef HAVE_SELINUX - if (!mac_selinux_use()) + if (!label_hnd) return; - if (label_hnd) - selabel_close(label_hnd); + selabel_close(label_hnd); #endif } |