From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
src/security/security_selinux.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..8b88785 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -935,20 +935,26 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
return 0;
}
+#if HAVE_SELINUX_LABEL_H
+static struct selabel_handle *sehandle = NULL;
+static virOnceControl sehandleonce = VIR_ONCE_CONTROL_INITIALIZER;
+
+static void
+seHandleInit (void)
+{
+ sehandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+}
+#endif
+
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
- struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- int ret;
-
- if (handle == NULL)
+ if (virOnce(&sehandleonce, seHandleInit) < 0 || sehandle == NULL)
return -1;
- ret = selabel_lookup_raw(handle, fcon, newpath, mode);
- selabel_close(handle);
- return ret;
+ return selabel_lookup_raw(sehandle, fcon, newpath, mode);
#else
return matchpathcon(newpath, mode, fcon);
#endif
--
1.8.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list