Skip to content

Commit 66cedb3

Browse files
poetteringpoettering
committed
selinux: simplify and unify logging
Normally we shouldn#t log from "library" functions, but SELinux is weird, hence upgrade security messages uniformly to LOG_ERR when in enforcing mode.
1 parent 7f416da commit 66cedb3

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

src/shared/selinux-util.c

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,8 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
4242

4343
static int cached_use = -1;
4444
static struct selabel_handle *label_hnd = NULL;
45+
46+
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
4547
#endif
4648

4749
bool mac_selinux_use(void) {
@@ -87,8 +89,7 @@ int mac_selinux_init(const char *prefix) {
8789
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
8890

8991
if (!label_hnd) {
90-
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
91-
"Failed to initialize SELinux context: %m");
92+
log_enforcing("Failed to initialize SELinux context: %m");
9293
r = security_getenforce() == 1 ? -errno : 0;
9394
} else {
9495
char timespan[FORMAT_TIMESPAN_MAX];
@@ -147,7 +148,7 @@ int mac_selinux_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
147148
if (ignore_erofs && errno == EROFS)
148149
return 0;
149150

150-
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, "Unable to fix SELinux label of %s: %m", path);
151+
log_enforcing("Unable to fix SELinux label of %s: %m", path);
151152
r = security_getenforce() == 1 ? -errno : 0;
152153
}
153154
#endif
@@ -284,7 +285,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
284285
#ifdef HAVE_SELINUX
285286
_cleanup_security_context_free_ security_context_t filecon = NULL;
286287

287-
if (!mac_selinux_use() || !label_hnd)
288+
if (!label_hnd)
288289
return 0;
289290

290291
r = selabel_lookup_raw(label_hnd, &filecon, path, mode);
@@ -293,7 +294,7 @@ int mac_selinux_context_set(const char *path, mode_t mode) {
293294
else if (r == 0) {
294295
r = setfscreatecon(filecon);
295296
if (r < 0) {
296-
log_error("Failed to set SELinux file context on %s: %m", path);
297+
log_enforcing("Failed to set SELinux file context on %s: %m", path);
297298
r = -errno;
298299
}
299300
}
@@ -312,8 +313,7 @@ int mac_selinux_socket_set(const char *label) {
312313
return 0;
313314

314315
if (setsockcreatecon((security_context_t) label) < 0) {
315-
log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG,
316-
"Failed to set SELinux context (%s) on socket: %m", label);
316+
log_enforcing("Failed to set SELinux context (%s) on socket: %m", label);
317317

318318
if (security_getenforce() == 1)
319319
return -errno;
@@ -383,7 +383,7 @@ int mac_selinux_mkdir(const char *path, mode_t mode) {
383383
r = setfscreatecon(fcon);
384384

385385
if (r < 0 && errno != ENOENT) {
386-
log_error("Failed to set security context %s for %s: %m", fcon, path);
386+
log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
387387

388388
if (security_getenforce() == 1) {
389389
r = -errno;
@@ -450,7 +450,7 @@ int mac_selinux_bind(int fd, const struct sockaddr *addr, socklen_t addrlen) {
450450
r = setfscreatecon(fcon);
451451

452452
if (r < 0 && errno != ENOENT) {
453-
log_error("Failed to set security context %s for %s: %m", fcon, path);
453+
log_enforcing("Failed to set security context %s for %s: %m", fcon, path);
454454

455455
if (security_getenforce() == 1) {
456456
r = -errno;

0 commit comments

Comments
 (0)