Merge pull request #262 from ondrejbudai/selinux-shortcut

cgwalters · web-flow · commit e5b59708fba2 · 2024-01-16T18:01:45.000-05:00
lsm: exit early if the process already has install_t
diff --git a/lib/src/lsm.rs b/lib/src/lsm.rs
@@ -84,6 +84,10 @@ impl Drop for SetEnforceGuard {
 #[context("Ensuring selinux install_t type")]
 #[cfg(feature = "install")]
 pub(crate) fn selinux_ensure_install_or_setenforce() -> Result<Option<SetEnforceGuard>> {
+    // If the process already has install_t, exit early
+    if self_has_install_t()? {
+        return Ok(None);
+    }
     selinux_ensure_install()?;
     let current = std::fs::read_to_string("/proc/self/attr/current")
         .context("Reading /proc/self/attr/current")?;
@@ -170,3 +174,10 @@ pub(crate) fn xattrs_have_selinux(xattrs: &ostree::glib::Variant) -> bool {
     }
     false
 }
+
+fn self_has_install_t() -> Result<bool> {
+    let current = std::fs::read_to_string("/proc/self/attr/current")
+        .context("Reading /proc/self/attr/current")?;
+
+    Ok(current.contains("install_t"))
+}
