static int access_init(sd_bus_error *error) { if (!mac_selinux_use()) return 0; if (initialized) return 1; if (avc_open(NULL, 0) != 0) { int enforce, saved_errno = errno; enforce = security_getenforce(); log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m"); /* If enforcement isn't on, then let's suppress this * error, and just don't do any AVC checks. The * warning we printed is hence all the admin will * see. */ if (enforce == 0) return 0; /* Return an access denied error, if we couldn't load * the AVC but enforcing mode was on, or we couldn't * determine whether it is one. */ return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno)); } selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback); initialized = true; return 1; }
/* Function must be called once to initialize the SELinux AVC environment. Sets up callbacks. If you want to cleanup memory you should need to call selinux_access_finish. */ static int access_init(void) { int r = 0; if (avc_open(NULL, 0)) return log_error_errno(errno, "avc_open() failed: %m"); selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback); if (security_getenforce() < 0){ r = -errno; avc_destroy(); } return r; }
/* Function must be called once to initialize the SELinux AVC environment. Sets up callbacks. If you want to cleanup memory you should need to call selinux_access_finish. */ static int access_init(void) { int r; if (avc_open(NULL, 0)) { log_error("avc_open() failed: %m"); return -errno; } selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback); if (security_getenforce() >= 0) return 0; r = -errno; avc_destroy(); return r; }
static void avc_init_once(void) { selinux_enabled = is_selinux_enabled(); if (selinux_enabled == 1) avc_open(NULL, 0); }