From a9ba0e328fa4d300d1186721d49b4d0fce33185d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 19 Jun 2020 19:29:24 +0200 Subject: Make failures of mac_selinux_init() fatal --- src/basic/selinux-util.c | 2 +- src/core/main.c | 2 +- src/hostname/hostnamed.c | 5 ++++- src/hwdb/hwdb.c | 4 +++- src/locale/localed.c | 5 ++++- src/login/logind.c | 2 +- src/login/user-runtime-dir.c | 6 +++--- src/resolve/resolved.c | 2 +- src/sysusers/sysusers.c | 2 +- src/timedate/timedated.c | 5 ++++- src/tmpfiles/tmpfiles.c | 4 +++- src/udev/udevadm.c | 5 ++++- src/udev/udevd.c | 2 +- src/update-done/update-done.c | 4 +--- src/user-sessions/user-sessions.c | 4 +++- 15 files changed, 35 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c index 0d7a7e1fbe..3b414e2d1a 100644 --- a/src/basic/selinux-util.c +++ b/src/basic/selinux-util.c @@ -122,7 +122,7 @@ int mac_selinux_init(void) { label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0); if (!label_hnd) - return log_enforcing_errno(errno, "Failed to initialize SELinux context: %m"); + return log_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m"); after_timestamp = now(CLOCK_MONOTONIC); after_mallinfo = mallinfo(); diff --git a/src/core/main.c b/src/core/main.c index 4e1e443a28..a2ff71fa71 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -2559,7 +2559,7 @@ int main(int argc, char *argv[]) { } if (mac_selinux_init() < 0) { - error_message = "Failed to initialize SELinux policy"; + error_message = "Failed to initialize SELinux support"; goto finish; } diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c index e694a95a04..36229f3c9b 100644 --- a/src/hostname/hostnamed.c +++ b/src/hostname/hostnamed.c @@ -801,7 +801,10 @@ static int run(int argc, char *argv[]) { return r; umask(0022); - mac_selinux_init(); + + r = mac_selinux_init(); + if (r < 0) + return r; assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0); diff --git a/src/hwdb/hwdb.c b/src/hwdb/hwdb.c index 651647b3f0..eb038a8b55 100644 --- a/src/hwdb/hwdb.c +++ b/src/hwdb/hwdb.c @@ -125,7 +125,9 @@ static int run(int argc, char *argv[]) { if (r <= 0) return r; - mac_selinux_init(); + r = mac_selinux_init(); + if (r < 0) + return r; return hwdb_main(argc, argv); } diff --git a/src/locale/localed.c b/src/locale/localed.c index 8ffcf306b5..3e58487c74 100644 --- a/src/locale/localed.c +++ b/src/locale/localed.c @@ -788,7 +788,10 @@ static int run(int argc, char *argv[]) { return r; umask(0022); - mac_selinux_init(); + + r = mac_selinux_init(); + if (r < 0) + return r; assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0); diff --git a/src/login/logind.c b/src/login/logind.c index dc746a2c9e..377fba25cf 100644 --- a/src/login/logind.c +++ b/src/login/logind.c @@ -1173,7 +1173,7 @@ static int run(int argc, char *argv[]) { r = mac_selinux_init(); if (r < 0) - return log_error_errno(r, "Could not initialize labelling: %m"); + return r; /* Always create the directories people can create inotify watches in. Note that some applications might check * for the existence of /run/systemd/seats/ to determine whether logind is available, so please always make diff --git a/src/login/user-runtime-dir.c b/src/login/user-runtime-dir.c index fdf0124c41..38058d7b2a 100644 --- a/src/login/user-runtime-dir.c +++ b/src/login/user-runtime-dir.c @@ -192,11 +192,11 @@ static int run(int argc, char *argv[]) { return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "First argument must be either \"start\" or \"stop\"."); + umask(0022); + r = mac_selinux_init(); if (r < 0) - return log_error_errno(r, "Could not initialize labelling: %m\n"); - - umask(0022); + return r; if (streq(argv[1], "start")) return do_mount(argv[2]); diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c index 50989a6b0a..566b950a63 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -40,7 +40,7 @@ static int run(int argc, char *argv[]) { r = mac_selinux_init(); if (r < 0) - return log_error_errno(r, "SELinux setup failed: %m"); + return r; /* Drop privileges, but only if we have been started as root. If we are not running as root we assume most * privileges are already dropped and we can't create our directory. */ diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index 6fbd5985d3..b5e7e08eee 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -1898,7 +1898,7 @@ static int run(int argc, char *argv[]) { r = mac_selinux_init(); if (r < 0) - return log_error_errno(r, "SELinux setup failed: %m"); + return r; /* If command line arguments are specified along with --replace, read all * configuration files and insert the positional arguments at the specified diff --git a/src/timedate/timedated.c b/src/timedate/timedated.c index da59dd3314..afe593ff64 100644 --- a/src/timedate/timedated.c +++ b/src/timedate/timedated.c @@ -377,7 +377,10 @@ static int context_write_data_local_rtc(Context *c) { } } - mac_selinux_init(); + r = mac_selinux_init(); + if (r < 0) + return r; + return write_string_file_atomic_label("/etc/adjtime", w); } diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index e827de1b06..8a0b8d3b84 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -3262,7 +3262,9 @@ static int run(int argc, char *argv[]) { umask(0022); - mac_selinux_init(); + r = mac_selinux_init(); + if (r < 0) + return r; items = ordered_hashmap_new(&item_array_hash_ops); globs = ordered_hashmap_new(&item_array_hash_ops); diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c index f1115bff7a..e476f88f00 100644 --- a/src/udev/udevadm.c +++ b/src/udev/udevadm.c @@ -124,7 +124,10 @@ static int run(int argc, char *argv[]) { log_set_max_level_realm(LOG_REALM_SYSTEMD, log_get_max_level()); - mac_selinux_init(); + r = mac_selinux_init(); + if (r < 0) + return r; + return udevadm_main(argc, argv); } diff --git a/src/udev/udevd.c b/src/udev/udevd.c index d86c1484c3..8db19e4f89 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -1863,7 +1863,7 @@ int run_udevd(int argc, char *argv[]) { r = mac_selinux_init(); if (r < 0) - return log_error_errno(r, "Could not initialize labelling: %m"); + return r; r = mkdir_errno_wrapper("/run/udev", 0755); if (r < 0 && r != -EEXIST) diff --git a/src/update-done/update-done.c b/src/update-done/update-done.c index bbd14165d5..c001802dc9 100644 --- a/src/update-done/update-done.c +++ b/src/update-done/update-done.c @@ -49,10 +49,8 @@ int main(int argc, char *argv[]) { } r = mac_selinux_init(); - if (r < 0) { - log_error_errno(r, "SELinux setup failed: %m"); + if (r < 0) return EXIT_FAILURE; - } r = apply_timestamp("/etc/.updated", &st.st_mtim); q = apply_timestamp("/var/.updated", &st.st_mtim); diff --git a/src/user-sessions/user-sessions.c b/src/user-sessions/user-sessions.c index c241429517..cd92b696c0 100644 --- a/src/user-sessions/user-sessions.c +++ b/src/user-sessions/user-sessions.c @@ -25,7 +25,9 @@ static int run(int argc, char *argv[]) { umask(0022); - mac_selinux_init(); + r = mac_selinux_init(); + if (r < 0) + return r; if (streq(argv[1], "start")) { r = unlink_or_warn("/run/nologin"); -- cgit v1.2.1