On Wed, Apr 26, 2017, at 04:24 PM, Stephen Smalley wrote: > > Your analysis and proposed fix sound correct to me. I blame Dan ;) Thanks. I tested the patch and confirmed it fixed ostree as it stands today, but I'm going to change ostree to cache the result of `is_selinux_enabled()` itself to work around this, since for our use cases it should never really change dynamically. Here's a git-format-patch version attached:
From 9268336b3e3a8994e495e7a997c9978453f7b155 Mon Sep 17 00:00:00 2001 From: Colin Walters <walters@xxxxxxxxxx> Date: Wed, 26 Apr 2017 16:26:21 -0400 Subject: [PATCH] config: Don't finalize mount state in selinux_set_policy_root() This breaks every further call to e.g. `is_selinux_enabled()` after a policy root has been set. This tripped up some code landed in libostree: https://github.com/ostreedev/ostree/pull/797 Since in some cases we initialize a policy twice in process, and we'd call `is_selinux_enabled()` each time. More info in: http://marc.info/?l=selinux&m=149323809332417&w=2 --- libselinux/src/selinux_config.c | 1 - 1 file changed, 1 deletion(-) diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c index d8e140c..292728f 100644 --- a/libselinux/src/selinux_config.c +++ b/libselinux/src/selinux_config.c @@ -282,7 +282,6 @@ int selinux_set_policy_root(const char *path) } policy_type++; - fini_selinuxmnt(); fini_selinux_policyroot(); selinux_policyroot = strdup(path); -- 2.9.3
