From 32b7a07b8c6cfd4804e381934e3c62234ec12dd5 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Thu, 20 Nov 2025 13:52:51 +0100 Subject: [PATCH 1/2] core/exec-invoke: deduplicate needs_setuid with needs_sandboxing --- src/core/exec-invoke.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 59808477d1..1d4fa3756d 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -5732,7 +5732,7 @@ int exec_invoke( /* We need setresuid() if the caller asked us to apply sandboxing and the command isn't explicitly * excepted from either whole sandboxing or just setresuid() itself. */ - needs_setuid = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & (EXEC_COMMAND_FULLY_PRIVILEGED|EXEC_COMMAND_NO_SETUID)); + needs_setuid = needs_sandboxing && !FLAGS_SET(command->flags, EXEC_COMMAND_NO_SETUID); uint64_t capability_ambient_set = context->capability_ambient_set; From 375a4bd878e472ed9f14627c29bc0b484bf37be7 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Thu, 20 Nov 2025 20:07:32 +0100 Subject: [PATCH 2/2] core/selinux-setup: actually skip setup gracefully when libselinux is not available Follow-up for 83b6ef9b62765b11bc602eae906ff13a5464a638 --- src/core/selinux-setup.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/core/selinux-setup.c b/src/core/selinux-setup.c index 891fa3cd8e..6f78346036 100644 --- a/src/core/selinux-setup.c +++ b/src/core/selinux-setup.c @@ -19,8 +19,10 @@ int mac_selinux_setup(bool *loaded_policy) { int r; r = dlopen_libselinux(); - if (r < 0) - return log_debug_errno(r, "No SELinux library available, skipping setup: %m"); + if (r < 0) { + log_debug_errno(r, "No SELinux library available, skipping setup."); + return 0; + } mac_selinux_disable_logging();