From d682b3a7e7c7c2941a4d3e193f1e330dbc9fae89 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 10 Oct 2013 16:35:44 +0200
Subject: security: rework selinux, smack, ima, apparmor detection logic

Always cache the results, and bypass low-level security calls when the
respective subsystem is not enabled.
---
 src/udev/udev-node.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/udev')

diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index 187e24e5b6..c5d629d1ce 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -32,6 +32,7 @@
 #include <attr/xattr.h>
 #endif
 
+#include "smack-util.h"
 #include "udev.h"
 
 static int node_symlink(struct udev_device *dev, const char *node, const char *slink)
@@ -311,7 +312,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                                         log_debug("SECLABEL: set SELinux label '%s'", label);
 
 #ifdef HAVE_SMACK
-                        } else if (streq(name, "smack")) {
+                        } else if (streq(name, "smack") && use_smack()) {
                                 smack = true;
                                 if (lsetxattr(devnode, "security.SMACK64", label, strlen(label), 0) < 0)
                                         log_error("SECLABEL: failed to set SMACK label '%s'", label);
@@ -327,7 +328,7 @@ static int node_permissions_apply(struct udev_device *dev, bool apply,
                 if (!selinux)
                         label_fix(devnode, true, false);
 #ifdef HAVE_SMACK
-                if (!smack)
+                if (!smack && use_smack())
                         lremovexattr(devnode, "security.SMACK64");
 #endif
         }
-- 
cgit v1.2.3-54-g00ecf