init: only relabel rootfs if started from initramfs

[project/procd.git] / initd / init.c

diff --git a/initd/init.c b/initd/init.c
index 7b1a37f2fb694a38b5e730fdb72bef8298c752bc..ab6a7e180fb75a9740022caaa1de075ce57ce33e 100644 (file)
--- a/initd/init.c
+++ b/initd/init.c
@@ -80,14 +80,15 @@ selinux(char **argv)
        int ret;
        int enforce = selinux_status_getenforce();
 
        int ret;
        int enforce = selinux_status_getenforce();
 

+       /* is SELinux already initialized? */

        if (getenv("SELINUX_INIT")) {
        if (getenv("SELINUX_INIT")) {

-               /* SELinux already initialized */
-               if (getenv("SELINUX_RESTORECON")) {
+               /* have initramfs permissions already been restored? */
+               if (!getenv("INITRAMFS") || getenv("SELINUX_RESTORECON")) {

                        unsetenv("SELINUX_INIT");
                        unsetenv("SELINUX_RESTORECON");
                        return 0;
                }
                        unsetenv("SELINUX_INIT");
                        unsetenv("SELINUX_RESTORECON");
                        return 0;
                }

-               /* Second call: restore filesystem labels */
+               /* Second call (initramfs only): restore filesystem labels */

                const char *exclude_list[] = { "/dev/console", "/proc", "/sys", 0 };
                selinux_restorecon_set_exclude_list(exclude_list);
                ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE | SELINUX_RESTORECON_MASS_RELABEL);
                const char *exclude_list[] = { "/dev/console", "/proc", "/sys", 0 };
                selinux_restorecon_set_exclude_list(exclude_list);
                ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE | SELINUX_RESTORECON_MASS_RELABEL);