selinux: fork label-aware children with up-to-date label database

The parent process may not perform any label operation, so the database might not get updated on a SELinux policy change on its own. Reload the label database once on a policy change, instead of n times in every started child.
2020-08-22 20:42:22 +02:00 · 2020-08-22 20:42:22 +02:00 · 2df2152c20
parent fd5e402fa9
commit 2df2152c20
2 changed files with 8 additions and 0 deletions
--- a/src/core/execute.c
+++ b/src/core/execute.c
@ -4105,6 +4105,10 @@ int exec_spawn(Unit *unit,
        if (!line)
                return log_oom();

+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
        log_struct(LOG_DEBUG,
                   LOG_UNIT_MESSAGE(unit, "About to execute: %s", line),
                   "EXECUTABLE=%s", command->path,
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@ -656,6 +656,10 @@ static void event_run(Manager *manager, struct event *event) {
        /* Re-enable the debug message for the next batch of events */
        log_children_max_reached = true;

+        /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db
+           and, until the next SELinux policy changes, we safe further reloads in future children */
+        mac_selinux_maybe_reload();
+
        /* start new worker and pass initial device */
        worker_spawn(manager, event);
 }