Merge pull request #16223 from cgzones/user_selinux
Initialize SELinux in user instances
This commit is contained in:
Lennart Poettering
GitHub
commit
bc8d57f290
|
|
@ -122,7 +122,7 @@ int mac_selinux_init(void) {
|
|||
|
||||
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
|
||||
if (!label_hnd)
|
||||
return log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
|
||||
return log_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m");
|
||||
|
||||
after_timestamp = now(CLOCK_MONOTONIC);
|
||||
after_mallinfo = mallinfo();
|
||||
|
|
|
|||
|
|
@ -2559,7 +2559,7 @@ int main(int argc, char *argv[]) {
|
|||
}
|
||||
|
||||
if (mac_selinux_init() < 0) {
|
||||
error_message = "Failed to initialize SELinux policy";
|
||||
error_message = "Failed to initialize SELinux support";
|
||||
goto finish;
|
||||
}
|
||||
|
||||
|
|
@ -2603,6 +2603,11 @@ int main(int argc, char *argv[]) {
|
|||
/* clear the kernel timestamp,
|
||||
* because we are not PID 1 */
|
||||
kernel_timestamp = DUAL_TIMESTAMP_NULL;
|
||||
|
||||
if (mac_selinux_init() < 0) {
|
||||
error_message = "Failed to initialize SELinux support";
|
||||
goto finish;
|
||||
}
|
||||
}
|
||||
|
||||
if (arg_system) {
|
||||
|
|
|
|||
|
|
@ -801,7 +801,10 @@ static int run(int argc, char *argv[]) {
|
|||
return r;
|
||||
|
||||
umask(0022);
|
||||
mac_selinux_init();
|
||||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);
|
||||
|
||||
|
|
|
|||
|
|
@ -125,7 +125,9 @@ static int run(int argc, char *argv[]) {
|
|||
if (r <= 0)
|
||||
return r;
|
||||
|
||||
mac_selinux_init();
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return hwdb_main(argc, argv);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -788,7 +788,10 @@ static int run(int argc, char *argv[]) {
|
|||
return r;
|
||||
|
||||
umask(0022);
|
||||
mac_selinux_init();
|
||||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);
|
||||
|
||||
|
|
|
|||
|
|
@ -1173,7 +1173,7 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Could not initialize labelling: %m");
|
||||
return r;
|
||||
|
||||
/* Always create the directories people can create inotify watches in. Note that some applications might check
|
||||
* for the existence of /run/systemd/seats/ to determine whether logind is available, so please always make
|
||||
|
|
|
|||
|
|
@ -192,11 +192,11 @@ static int run(int argc, char *argv[]) {
|
|||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"First argument must be either \"start\" or \"stop\".");
|
||||
|
||||
umask(0022);
|
||||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Could not initialize labelling: %m\n");
|
||||
|
||||
umask(0022);
|
||||
return r;
|
||||
|
||||
if (streq(argv[1], "start"))
|
||||
return do_mount(argv[2]);
|
||||
|
|
|
|||
|
|
@ -40,7 +40,7 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "SELinux setup failed: %m");
|
||||
return r;
|
||||
|
||||
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
|
||||
* privileges are already dropped and we can't create our directory. */
|
||||
|
|
|
|||
|
|
@ -1898,7 +1898,7 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "SELinux setup failed: %m");
|
||||
return r;
|
||||
|
||||
/* If command line arguments are specified along with --replace, read all
|
||||
* configuration files and insert the positional arguments at the specified
|
||||
|
|
|
|||
|
|
@ -377,7 +377,10 @@ static int context_write_data_local_rtc(Context *c) {
|
|||
}
|
||||
}
|
||||
|
||||
mac_selinux_init();
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return write_string_file_atomic_label("/etc/adjtime", w);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -3262,7 +3262,9 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
umask(0022);
|
||||
|
||||
mac_selinux_init();
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
items = ordered_hashmap_new(&item_array_hash_ops);
|
||||
globs = ordered_hashmap_new(&item_array_hash_ops);
|
||||
|
|
|
|||
|
|
@ -124,7 +124,10 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
log_set_max_level_realm(LOG_REALM_SYSTEMD, log_get_max_level());
|
||||
|
||||
mac_selinux_init();
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return udevadm_main(argc, argv);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1863,7 +1863,7 @@ int run_udevd(int argc, char *argv[]) {
|
|||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Could not initialize labelling: %m");
|
||||
return r;
|
||||
|
||||
r = mkdir_errno_wrapper("/run/udev", 0755);
|
||||
if (r < 0 && r != -EEXIST)
|
||||
|
|
|
|||
|
|
@ -49,10 +49,8 @@ int main(int argc, char *argv[]) {
|
|||
}
|
||||
|
||||
r = mac_selinux_init();
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "SELinux setup failed: %m");
|
||||
if (r < 0)
|
||||
return EXIT_FAILURE;
|
||||
}
|
||||
|
||||
r = apply_timestamp("/etc/.updated", &st.st_mtim);
|
||||
q = apply_timestamp("/var/.updated", &st.st_mtim);
|
||||
|
|
|
|||
|
|
@ -25,7 +25,9 @@ static int run(int argc, char *argv[]) {
|
|||
|
||||
umask(0022);
|
||||
|
||||
mac_selinux_init();
|
||||
r = mac_selinux_init();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (streq(argv[1], "start")) {
|
||||
r = unlink_or_warn("/run/nologin");
|
||||
|
|
|
|||
Loading…
Reference in a new issue