selinux_init_load_policy: setenforce(0) if security_disable() fails

If you run selinux_init_load_policy() after a chroot/switch-root, it's possible that your *previous* root loaded policy, but your *new* root wants SELinux disabled. We can't disable SELinux in this case, but we *do* need to make sure it's permissive. Otherwise we may continue to enforce the old policy. So, if seconfig = -1, but security_disable() fails, we set *enforce=0, and then let the existing code handle the security_{get,set}enforce stuff. Once that's handled, exit with failure via "goto noload", as before.
2024-12-26 07:52:07 +00:00 · 2014-04-29 11:59:34 -04:00 · 2014-04-29 11:59:34 -04:00 · 241fac2728
commit 241fac2728
parent 1e6482134b
1 changed files with 11 additions and 6 deletions
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@ -417,13 +417,15 @@ int selinux_init_load_policy(int *enforce)
 			/* Successfully disabled, so umount selinuxfs too. */
 			umount(selinux_mnt);
 			fini_selinuxmnt();
+			goto noload;
+		} else {
+			/*
+			 * It's possible that this failed because policy has
+			 * already been loaded. We can't disable SELinux now,
+			 * so the best we can do is force it to be permissive.
+			 */
+			*enforce = 0;
 		}
-		/*
-		 * If we failed to disable, SELinux will still be 
-		 * effectively permissive, because no policy is loaded. 
-		 * No need to call security_setenforce(0) here.
-		 */
-		goto noload;
 	}

 	/*
@ -442,6 +444,9 @@ int selinux_init_load_policy(int *enforce)
 		}
 	}

+	if (seconfig == -1)
+		goto noload;
+
 	/* Load the policy. */
 	return selinux_mkload_policy(0);