init: restore SELinux labels after policy is loaded

Introduce an additional SELinux init step to calling restorecon to
label the filesystem. This fixes SELinux on initramfs or systems
with ext4 or ubifs read-write root filesystem.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/initd/init.c b/initd/init.c
index 2eb6ead2c0f466a7d91eb813f7de0cbdaedba42d..29e441d36189c4bd704a40447ca5245088e07869 100644 (file)
--- a/initd/init.c
+++ b/initd/init.c
@@ -31,6 +31,8 @@
 
 #if defined(WITH_SELINUX)
 #include <selinux/selinux.h>
+#include <selinux/restorecon.h>
+#include <selinux/avc.h>
 #endif
 
 #include "../utils/utils.h"
@@ -75,16 +77,25 @@ cmdline(void)
 static int
 selinux(char **argv)
 {
-       int enforce = 0;
        int ret;
+       int enforce = selinux_status_getenforce();
+
+       if (getenv("SELINUX_INIT")) {
+               /* SELinux already initialized */
+               if (getenv("SELINUX_RESTORECON")) {
+                       unsetenv("SELINUX_INIT");
+                       unsetenv("SELINUX_RESTORECON");
+                       return 0;
+               }
+               /* Second call: restore filesystem labels */
+               ret = selinux_restorecon("/", SELINUX_RESTORECON_RECURSE);
+               putenv("SELINUX_RESTORECON=1");
+       } else {
+               /* First call: load policy */
+               ret = selinux_init_load_policy(&enforce);
+               putenv("SELINUX_INIT=1");
+       }
 
-       /* SELinux already initialized */
-       if (getenv("SELINUX_INIT"))
-               return 0;
-
-       putenv("SELINUX_INIT=1");
-
-       ret = selinux_init_load_policy(&enforce);
        if (ret == 0)
                execv(argv[0], argv);