Separate out the code to compute the context from selinux_setup().

This makes it possible to determine whether we really need to execute the command via the sesh helper. What was left of selinux_setup() is now selinux_relabel_tty() and selinux_audit_role_change().
2021-11-05 12:33:20 -06:00
parent a336a8422f
commit e97fb5fd0b
6 changed files with 61 additions and 69 deletions
--- a/src/exec_monitor.c
+++ b/src/exec_monitor.c
@@ -605,9 +605,9 @@ exec_monitor(struct command_details *details, sigset_t *oset,

 #ifdef HAVE_SELINUX
    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
-        if (selinux_setup(details->selinux_role, details->selinux_type,
-            details->tty, io_fds[SFD_FOLLOWER], true) == -1)
+        if (selinux_relabel_tty(details->tty, io_fds[SFD_FOLLOWER]) == -1)
            goto bad;
+	selinux_audit_role_change();
    }
 #endif