selinux: Disable selinux logging in mac_init() as well

We currently only disable selinux logging in mac_selinux_setup(), but not in mac_init(). We don't want libraries we use to log unless we tell them to, so disable selinux's logging in mac_init() as well.
2026-04-14 08:25:20 +09:00 · 2025-04-23 17:26:11 +02:00
parent 3a4aa7f5b2
commit d04f6fe446
3 changed files with 19 additions and 9 deletions
--- a/src/core/selinux-setup.c
+++ b/src/core/selinux-setup.c
@@ -19,21 +19,13 @@
 #include "string-util.h"
 #include "time-util.h"

-#if HAVE_SELINUX
-_printf_(2,3)
-static int null_log(int type, const char *fmt, ...) {
-        return 0;
-}
-#endif
-
 int mac_selinux_setup(bool *loaded_policy) {
        assert(loaded_policy);

 #if HAVE_SELINUX
        int r;

-        /* Turn off all of SELinux' own logging, we want to do that ourselves */
-        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = null_log });
+        mac_selinux_disable_logging();

        /* Don't load policy in the initrd if we don't appear to have it.  For the real root, we check below
         * if we've already loaded policy, and return gracefully. */
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -167,6 +167,8 @@ static int selinux_init(bool force) {
        if (!force && initialized != LAZY_INITIALIZED)
                return 1;

+        mac_selinux_disable_logging();
+
        r = selinux_status_open(/* netlink fallback= */ 1);
        if (r < 0) {
                if (!ERRNO_IS_PRIVILEGE(errno))
@@ -263,6 +265,20 @@ void mac_selinux_finish(void) {
 #endif
 }

+#if HAVE_SELINUX
+_printf_(2,3)
+static int selinux_log_glue(int type, const char *fmt, ...) {
+        return 0;
+}
+#endif
+
+void mac_selinux_disable_logging(void) {
+#if HAVE_SELINUX
+        /* Turn off all of SELinux' own logging, we want to do that ourselves */
+        selinux_set_callback(SELINUX_CB_LOG, (const union selinux_callback) { .func_log = selinux_log_glue });
+#endif
+}
+
 #if HAVE_SELINUX
 static int selinux_fix_fd(
                int fd,
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -32,6 +32,8 @@ int mac_selinux_init_lazy(void);
 void mac_selinux_maybe_reload(void);
 void mac_selinux_finish(void);

+void mac_selinux_disable_logging(void);
+
 int mac_selinux_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);

 int mac_selinux_apply(const char *path, const char *label);