core: reload SELinux label cache on daemon-reload

Reloading the SELinux label cache here enables a light-wight follow-up of a SELinux policy change, e.g. adding a label for a RuntimeDirectory. Closes: #13363
2019-11-27 19:43:47 +01:00 · 2019-11-27 19:43:47 +01:00 · a9dfac21ec
parent 97a3e8d582
commit a9dfac21ec
3 changed files with 23 additions and 0 deletions
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@ -107,6 +107,26 @@ void mac_selinux_finish(void) {
 #endif
 }

+void mac_selinux_reload(void) {
+
+#if HAVE_SELINUX
+        struct selabel_handle *backup_label_hnd;
+
+        if (!label_hnd)
+                return;
+
+        backup_label_hnd = TAKE_PTR(label_hnd);
+
+        /* try to initialize new handle
+         *    on success close backup
+         *    on failure restore backup */
+        if (mac_selinux_init() == 0)
+                selabel_close(backup_label_hnd);
+        else
+                label_hnd = backup_label_hnd;
+#endif
+}
+
 int mac_selinux_fix(const char *path, LabelFixFlags flags) {

 #if HAVE_SELINUX
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@ -13,6 +13,7 @@ void mac_selinux_retest(void);

 int mac_selinux_init(void);
 void mac_selinux_finish(void);
+void mac_selinux_reload(void);

 int mac_selinux_fix(const char *path, LabelFixFlags flags);
 int mac_selinux_apply(const char *path, const char *label);
--- a/src/core/main.c
+++ b/src/core/main.c
@ -1747,6 +1747,8 @@ static int invoke_main_loop(
                        saved_log_level = m->log_level_overridden ? log_get_max_level() : -1;
                        saved_log_target = m->log_target_overridden ? log_get_target() : _LOG_TARGET_INVALID;

+                        mac_selinux_reload();
+
                        (void) parse_configuration(saved_rlimit_nofile, saved_rlimit_memlock);

                        set_manager_defaults(m);