init: restore SELinux labels after policy is loaded

[project/procd.git] / initd / init.c

diff --git a/initd/init.c b/initd/init.c
index 2eb6ead2c0f466a7d91eb813f7de0cbdaedba42d..29e441d36189c4bd704a40447ca5245088e07869 100644 (file)
--- a/initd/init.c
+++ b/initd/init.c
@@ -31,6 +31,8 @@
 
 #if defined(WITH_SELINUX)
 #include <selinux/selinux.h>
+#include <selinux/restorecon.h>
+#include <selinux/avc.h>
 #endif
 
 #include "../utils/utils.h"
@@ -75,16 +77,25 @@ cmdline(void)
 static int
 selinux(char **argv)
 {
-       int enforce = 0;
        int ret;
+       int enforce = selinux_status_getenforce();
+
+       if (getenv("SELINUX_INIT")) {
+               /* SELinux already initialized */
+               if (getenv("SELINUX_RESTORECON")) {
+                       unsetenv("SELINUX_INIT");
+                       unsetenv("SELINUX_RESTORECON");
+                       return 0;
+               }
+               /* Second call: restore filesystem labels */
+               ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE);
+               putenv("SELINUX_RESTORECON=1");
+       } else {
+               /* First call: load policy */
+               ret = selinux_init_load_policy(&enforce);
+               putenv("SELINUX_INIT=1");
+       }
 
-       /* SELinux already initialized */
-       if (getenv("SELINUX_INIT"))
-               return 0;
-
-       putenv("SELINUX_INIT=1");
-
-       ret = selinux_init_load_policy(&enforce);
        if (ret == 0)
                execv(argv[0], argv);