logind: load SELinux labelling system

systemd-logind uses mkdir_label and label_fix functions without calling
first mac_selinux_init.  This makes /run/user/$UID/ directories not
labelled correctly on an Arch Linux system using SELinux.

Fix this by calling mac_selinux_init("/run") early in systemd-logind.
This makes files created in /etc/udev/rules.d and /var/lib/systemd to be
labelled through transitions in the SELinux policy instead of using
setfscreatecon (with mac_selinux_create_file_prepare).

diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index 9eda463..ddfeaa1 100644 (file)
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1228,7 +1228,6 @@ static int attach_device(Manager *m, const char *seat, const char *sysfs) {
                 return -ENOMEM;
 
         mkdir_p_label("/etc/udev/rules.d", 0755);
-        mac_selinux_init("/etc");
         r = write_string_file_atomic_label(file, rule);
         if (r < 0)
                 return r;

diff --git a/src/login/logind.c b/src/login/logind.c
index 9723e2f..7e2d114 100644 (file)
--- a/src/login/logind.c
+++ b/src/login/logind.c
@@ -36,6 +36,7 @@
 #include "fd-util.h"
 #include "formats-util.h"
 #include "logind.h"
+#include "selinux-util.h"
 #include "signal-util.h"
 #include "strv.h"
 #include "udev-util.h"
@@ -1127,6 +1128,12 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
+        r = mac_selinux_init("/run");
+        if (r < 0) {
+                log_error_errno(r, "Could not initialize labelling: %m");
+                goto finish;
+        }
+
         /* Always create the directories people can create inotify
          * watches in. Note that some applications might check for the
          * existence of /run/systemd/seats/ to determine whether