diff options
| -rw-r--r-- | src/basic/selinux-util.c | 36 | ||||
| -rw-r--r-- | src/basic/selinux-util.h | 1 | ||||
| -rw-r--r-- | src/core/selinux-access.c | 5 |
3 files changed, 6 insertions, 36 deletions
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index 80bd65b155..c94ee26bd9 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -35,14 +35,14 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free); static int mac_selinux_reload(int seqno); static int cached_use = -1; -static int cached_enforcing = -1; static struct selabel_handle *label_hnd = NULL; -#define log_enforcing(...) log_full(mac_selinux_enforcing() ? LOG_ERR : LOG_WARNING, __VA_ARGS__) +#define log_enforcing(...) \ + log_full(security_getenforce() != 0 ? LOG_ERR : LOG_WARNING, __VA_ARGS__) #define log_enforcing_errno(error, ...) \ ({ \ - bool _enforcing = mac_selinux_enforcing(); \ + bool _enforcing = security_getenforce() != 0; \ int _level = _enforcing ? LOG_ERR : LOG_WARNING; \ int _e = (error); \ \ @@ -66,41 +66,12 @@ bool mac_selinux_use(void) { #endif } -bool mac_selinux_enforcing(void) { -#if HAVE_SELINUX - if (_unlikely_(cached_enforcing < 0)) { - cached_enforcing = security_getenforce(); - if (cached_enforcing < 0) { - log_debug_errno(errno, "Failed to get SELinux enforced status, continuing in enforcing mode: %m"); - return true; /* treat failure as enforcing mode */ - } - - log_debug("SELinux enforcing state cached to: %s", cached_enforcing ? "enforcing" : "permissive"); - } - - return cached_enforcing > 0; -#else - return false; -#endif -} - void mac_selinux_retest(void) { #if HAVE_SELINUX cached_use = -1; - cached_enforcing = -1; #endif } -#if HAVE_SELINUX -static int setenforce_callback(int enforcing) { - cached_enforcing = enforcing; - - log_debug("SELinux enforcing state updated to: %s", cached_enforcing ? "enforcing" : "permissive"); - - return 0; -} -#endif - int mac_selinux_init(void) { #if HAVE_SELINUX usec_t before_timestamp, after_timestamp; @@ -109,7 +80,6 @@ int mac_selinux_init(void) { int l; selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) mac_selinux_reload); - selinux_set_callback(SELINUX_CB_SETENFORCE, (union selinux_callback) setenforce_callback); if (label_hnd) return 0; diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h index 736082cab0..d053b00b5c 100644 --- a/src/basic/selinux-util.h +++ b/src/basic/selinux-util.h @@ -16,7 +16,6 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(char*, freecon); #endif bool mac_selinux_use(void); -bool mac_selinux_enforcing(void); void mac_selinux_retest(void); int mac_selinux_init(void); diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index abfab14dab..1d52b5ff04 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -144,8 +144,9 @@ static int access_init(sd_bus_error *error) { if (avc_open(NULL, 0) != 0) { int saved_errno = errno; - const bool enforce = mac_selinux_enforcing(); + bool enforce; + enforce = security_getenforce() != 0; log_full_errno(enforce ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m"); /* If enforcement isn't on, then let's suppress this @@ -197,7 +198,7 @@ int mac_selinux_generic_access_check( return r; /* delay call until we checked in `access_init()` if SELinux is actually enabled */ - enforce = mac_selinux_enforcing(); + enforce = security_getenforce() != 0; r = sd_bus_query_sender_creds( message, |