4 files changed, 17 insertions, 12 deletions

diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index a39a0f775a..747e6f4dbb 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -295,14 +295,20 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
         return r;
 }
 
-void mac_selinux_free(char *label) {
+char* mac_selinux_free(char *label) {
 
 #ifdef HAVE_SELINUX
+        if (!label)
+                return NULL;
+
         if (!mac_selinux_use())
-                return;
+                return NULL;
+
 
         freecon((security_context_t) label);
 #endif
+
+        return NULL;
 }
 
 int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index 8467185291..2afcaec183 100644
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -24,6 +24,8 @@
 #include <sys/socket.h>
 #include <stdbool.h>
 
+#include "macro.h"
+
 bool mac_selinux_use(void);
 void mac_selinux_retest(void);
 
@@ -36,7 +38,7 @@ int mac_selinux_apply(const char *path, const char *label);
 int mac_selinux_get_create_label_from_exe(const char *exe, char **label);
 int mac_selinux_get_our_label(char **label);
 int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label);
-void mac_selinux_free(char *label);
+char* mac_selinux_free(char *label);
 
 int mac_selinux_create_file_prepare(const char *path, mode_t mode);
 void mac_selinux_create_file_clear(void);
@@ -45,3 +47,5 @@ int mac_selinux_create_socket_prepare(const char *label);
 void mac_selinux_create_socket_clear(void);
 
 int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(char*, mac_selinux_free);
diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c
index e5b457643b..ff1ea23528 100644
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -78,14 +78,14 @@ int mac_selinux_setup(bool *loaded_policy) {
         before_load = now(CLOCK_MONOTONIC);
         r = selinux_init_load_policy(&enforce);
         if (r == 0) {
+                _cleanup_(mac_selinux_freep) char *label = NULL;
                 char timespan[FORMAT_TIMESPAN_MAX];
-                char *label;
 
                 mac_selinux_retest();
 
                 /* Transition to the new context */
                 r = mac_selinux_get_create_label_from_exe(SYSTEMD_BINARY_PATH, &label);
-                if (r < 0 || label == NULL) {
+                if (r < 0 || !label) {
                         log_open();
                         log_error("Failed to compute init label, ignoring.");
                 } else {
@@ -94,8 +94,6 @@ int mac_selinux_setup(bool *loaded_policy) {
                         log_open();
                         if (r < 0)
                                 log_error("Failed to transition into init label '%s', ignoring.", label);
-
-                        mac_selinux_free(label);
                 }
 
                 after_load = now(CLOCK_MONOTONIC);
diff --git a/src/core/socket.c b/src/core/socket.c
index c0c11e4f6a..55ecada5ee 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1210,10 +1210,10 @@ fail:
 }
 
 static int socket_open_fds(Socket *s) {
+        _cleanup_(mac_selinux_freep) char *label = NULL;
+        bool know_label = false;
         SocketPort *p;
         int r;
-        char *label = NULL;
-        bool know_label = false;
 
         assert(s);
 
@@ -1327,13 +1327,10 @@ static int socket_open_fds(Socket *s) {
                         assert_not_reached("Unknown port type");
         }
 
-        mac_selinux_free(label);
         return 0;
 
 rollback:
         socket_close_fds(s);
-        mac_selinux_free(label);
-
         return r;
 }