init: only relabel rootfs if started from initramfs

Do not relabel all the filesystem if not running from initramfs, it should only be needed in this case. Read-write (ext4) labels should be set when generating the filesystem just like it's done for squashfs. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
author: Daniel Golle <daniel@makrotopia.org> 2022-05-31 17:14:37 +0100
committer: Daniel Golle <daniel@makrotopia.org> 2022-06-01 20:40:23 +0100
commit: 7a0096853594874d4c60266ec338ac23728017df (patch)
tree: 60803c8ee326acb2c06b57772e6f4c2381f9019c
parent: 557c98e2966e0298a301f540824e2c3fce2452e6 (diff)
download: procd-7a0096853594874d4c60266ec338ac23728017df.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/initd/init.c b/initd/init.c
index 7b1a37f..ab6a7e1 100644
--- a/initd/init.c
+++ b/initd/init.c
@@ -80,14 +80,15 @@ selinux(char **argv)
 	int ret;
 	int enforce = selinux_status_getenforce();
 
+	/* is SELinux already initialized? */
 	if (getenv("SELINUX_INIT")) {
-		/* SELinux already initialized */
-		if (getenv("SELINUX_RESTORECON")) {
+		/* have initramfs permissions already been restored? */
+		if (!getenv("INITRAMFS") || getenv("SELINUX_RESTORECON")) {
 			unsetenv("SELINUX_INIT");
 			unsetenv("SELINUX_RESTORECON");
 			return 0;
 		}
-		/* Second call: restore filesystem labels */
+		/* Second call (initramfs only): restore filesystem labels */
 		const char *exclude_list[] = { "/dev/console", "/proc", "/sys", 0 };
 		selinux_restorecon_set_exclude_list(exclude_list);
 		ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE | SELINUX_RESTORECON_MASS_RELABEL);
author	Daniel Golle <daniel@makrotopia.org>	2022-05-31 17:14:37 +0100
committer	Daniel Golle <daniel@makrotopia.org>	2022-06-01 20:40:23 +0100
commit	7a0096853594874d4c60266ec338ac23728017df (patch)
tree	60803c8ee326acb2c06b57772e6f4c2381f9019c
parent	557c98e2966e0298a301f540824e2c3fce2452e6 (diff)
download	procd-7a0096853594874d4c60266ec338ac23728017df.tar.gz