From 2df2152c206bd2fa8e8d086feeb0555f5b7152c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Sat, 22 Aug 2020 20:42:22 +0200 Subject: [PATCH] selinux: fork label-aware children with up-to-date label database The parent process may not perform any label operation, so the database might not get updated on a SELinux policy change on its own. Reload the label database once on a policy change, instead of n times in every started child. --- src/core/execute.c | 4 ++++ src/udev/udevd.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/core/execute.c b/src/core/execute.c index d5107288a1..666bdc4bc1 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -4105,6 +4105,10 @@ int exec_spawn(Unit *unit, if (!line) return log_oom(); + /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db + and, until the next SELinux policy changes, we safe further reloads in future children */ + mac_selinux_maybe_reload(); + log_struct(LOG_DEBUG, LOG_UNIT_MESSAGE(unit, "About to execute: %s", line), "EXECUTABLE=%s", command->path, diff --git a/src/udev/udevd.c b/src/udev/udevd.c index 8c7c7046e7..b2052578eb 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -656,6 +656,10 @@ static void event_run(Manager *manager, struct event *event) { /* Re-enable the debug message for the next batch of events */ log_children_max_reached = true; + /* fork with up-to-date SELinux label database, so the child inherits the up-to-date db + and, until the next SELinux policy changes, we safe further reloads in future children */ + mac_selinux_maybe_reload(); + /* start new worker and pass initial device */ worker_spawn(manager, event); }