Dominick Grift made me over IRC aware of the issue that systemd on Fedora 34 no longer updates its selabel database automatically on SELinux policy reloads. The issue is caused by libselinux 3.2 defaulting to use the status page instead of a netlink socket for reload/enforcing change queries[1]. I prepared a patch for systemd over at [2]. While writing the patch I noticed two possible issues: 1. selinux_status_open(3) is not reentrant selinux_status_open() unconditionally calls mmap(2), regardless whether the page is already opened. selinux_status_open() might get called multiple times by a client application unintentionally, e.g. once manually to be able to call selinux_status_updated(3) and react to changes, and indirectly by calling selinux_check_access(3), which calls avc_open(3), which since 3.2[1] also calls selinux_status_open(). 2. In fallback mode selinux_status_open(3) sets internal callbacks If selinux_status_open() gets called with fallback enabled and the fallback is actually used, it sets the two callbacks for SELINUX_CB_SETENFORCE and SELINUX_CB_POLICYLOAD. These might be later overridden by client applications, which want to install their own callbacks. avc_open(3) since 3.2 calls selinux_status_open() with fallback mode enabled. [1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503 [2]: https://github.com/systemd/systemd/pull/19551 Christian Göttsche (3): libselinux: avc_destroy(3) closes status page libselinux: make selinux_status_open(3) reentrant libselinux: do not use status page fallback mode internally libselinux/man/man3/avc_open.3 | 3 +++ libselinux/src/avc.c | 2 +- libselinux/src/sestatus.c | 4 ++++ 3 files changed, 8 insertions(+), 1 deletion(-) -- 2.31.1
