selinux fixes for varlink (#38404)

- fixes `mac_selinux_unit_access_check_varlink` macro - more usage of `log_selinux_enforcing_errno()` for consistency
2026-04-15 00:47:10 +09:00 · 2025-07-29 18:30:37 +02:00
parent bbc10f31ae ce6bdb7969
commit 467ff7929f
2 changed files with 9 additions and 9 deletions
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -156,12 +156,11 @@ static int access_init(sd_bus_error *error) {
        if (avc_open(NULL, 0) != 0) {
                r = -errno;  /* Save original errno for later */

-                bool enforce = security_getenforce() != 0;
-                log_full_errno(enforce ? LOG_ERR : LOG_WARNING, r, "Failed to open the SELinux AVC: %m");
-
-                /* If enforcement isn't on, then let's suppress this error, and just don't do any AVC checks.
-                 * The warning we printed is hence all the admin will see. */
-                if (!enforce)
+                r = log_selinux_enforcing_errno(r, "Failed to open the SELinux AVC: %m");
+                if (r == 0)
+                        /* log_selinux_enforcing_errno() can return 0 if the enforcement isn't on.
+                         * In this case don't do any AVC checks.
+                         * The warning we printed is hence all the admin will see. */
                        return 0;

                /* Return an access denied error based on the original errno, if we couldn't load the AVC but
@@ -347,14 +346,15 @@ int mac_selinux_access_check_varlink_internal(

        r = access_init(/* error= */ NULL);
        if (r <= 0)
-                return log_debug_errno(r, "Failed to init SELinux: %m");
+                /* access_init() does log_selinux_enforcing_errno() */
+                return r;

        /* delay call until we checked in `access_init()` if SELinux is actually enabled */
        bool enforce = mac_selinux_enforcing();

        int fd = sd_varlink_get_fd(link);
        if (fd < 0)
-                return log_debug_errno(fd, "Failed to get varlink peer fd: %m");
+                return log_selinux_enforcing_errno(fd, "Failed to get varlink peer fd: %m");

        /* We should call mac_selinux_get_peer_label() here similarly to get_our_contexts().
         * See the explanation there why not. */
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -16,4 +16,4 @@ int mac_selinux_access_check_varlink_internal(sd_varlink *link, const Unit *unit
        mac_selinux_access_check_varlink_internal((link), NULL, (permission), __func__)

 #define mac_selinux_unit_access_check_varlink(unit, link, permission) \
-        mac_selinux_access_check_bus_internal((link), (unit), (permission), __func__)
+        mac_selinux_access_check_varlink_internal((link), (unit), (permission), __func__)