From: "Richard W.M. Jones" <rjones@xxxxxxxxxx>
According to Eric Paris this is slightly more efficient because it
only loads the regular expressions in libselinux once.
---
src/security/security_selinux.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a3ef728..d4f0595 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -935,20 +935,30 @@ virSecuritySELinuxFSetFilecon(int fd, char *tcon)
return 0;
}
+#if HAVE_SELINUX_LABEL_H
+
+static struct selabel_handle *seLabelHandle = NULL;
+
+static int
+seLabelHandleOnceInit (void)
+{
+ seLabelHandle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+ return seLabelHandle ? 0 : -1;
+}
+
+VIR_ONCE_GLOBAL_INIT(seLabelHandle)
+
+#endif
+
/* Set fcon to the appropriate label for path and mode, or return -1. */
static int
getContext(const char *newpath, mode_t mode, security_context_t *fcon)
{
#if HAVE_SELINUX_LABEL_H
- struct selabel_handle *handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
- int ret;
-
- if (handle == NULL)
+ if (seLabelHandleInitialize() < 0)
return -1;
- ret = selabel_lookup_raw(handle, fcon, newpath, mode);
- selabel_close(handle);
- return ret;
+ return selabel_lookup_raw(seLabelHandle, fcon, newpath, mode);
#else
return matchpathcon(newpath, mode, fcon);
#endif
--
1.8.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list