Christian Göttsche <cgzones@xxxxxxxxxxxxxx> writes:
> Currently `avc_init_internal()`, called by `avc_open(3)` and
> `avc_init(3)`, does open the SELinux status page with fallback mode
> enabled.
>
> Quote from man:selinux_status_open(3):
> In this case, this function tries to open a netlink socket using
> .BR avc_netlink_open (3) and overwrite corresponding callbacks
> (setenforce and policyload). Thus, we need to pay attention to the
> interaction with these interfaces, when fallback mode is enabled.
>
> Calling `selinux_status_open` internally in fallback mode is bad, cause
> it overrides callbacks from client applications or the internal
> fallback-callbacks get overridden by client applications.
> Note that `avc_open(3)` gets called under the hood by
> `selinux_check_access(3)` without checking for failure.
> Also the status page is available since Linux 2.6.37, so failures of
> `selinux_status_open(3)` in non-fallback mode should only be caused by
> policies not allowing the client process to open/read/map
> the /sys/fs/selinux/status file.
Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
All 3 are merged now.
Thanks!
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libselinux/src/avc.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index 8314d7ba..daaedbc6 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -214,7 +214,7 @@ static int avc_init_internal(const char *prefix,
> avc_enforcing = rc;
> }
>
> - rc = selinux_status_open(1);
> + rc = selinux_status_open(0);
> if (rc < 0) {
> avc_log(SELINUX_ERROR,
> "%s: could not open selinux status page: %d (%s)\n",
> --
> 2.31.1
