selinux: relabel /run the same way as /dev after loading the policy since they both...

diff --git a/src/mount-setup.c b/src/mount-setup.c
index 49eab0b..a42ed43 100644 (file)
--- a/src/mount-setup.c
+++ b/src/mount-setup.c
@@ -243,8 +243,10 @@ int mount_setup(void) {
          * appropriate labels, after mounting. The other virtual API
          * file systems do not need. */
 
-        if (unlink("/dev/.systemd-relabel-devtmpfs") >= 0)
+        if (unlink("/dev/.systemd-relabel-run-dev") >= 0) {
                 nftw("/dev", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+                nftw("/run", nftw_cb, 64, FTW_MOUNT|FTW_PHYS);
+        }
 
         /* Create a few default symlinks, which are normally created
          * bei udevd, but some scripts might need them before we start

diff --git a/src/selinux-setup.c b/src/selinux-setup.c
index e21ff6b..c32c7ad 100644 (file)
--- a/src/selinux-setup.c
+++ b/src/selinux-setup.c
@@ -43,9 +43,9 @@ int selinux_setup(char *const argv[]) {
                return 0;
 
        /* Before we load the policy we create a flag file to ensure
-        * that after the reexec we iterate through /dev to relabel
-        * things. */
-       touch("/dev/.systemd-relabel-devtmpfs");
+        * that after the reexec we iterate through /run and /dev to
+        * relabel things. */
+       touch("/dev/.systemd-relabel-run-dev");
 
        if (selinux_init_load_policy(&enforce) == 0) {
                log_debug("Successfully loaded SELinux policy, reexecuting.");
@@ -60,7 +60,7 @@ int selinux_setup(char *const argv[]) {
        } else {
                log_full(enforce > 0 ? LOG_ERR : LOG_WARNING, "Failed to load SELinux policy.");
 
-               unlink("/dev/.systemd-relabel-devtmpfs");
+               unlink("/dev/.systemd-relabel-run-dev");
 
                if (enforce > 0)
                        return -EIO;