Separate out the code to compute the context from selinux_setup().

This makes it possible to determine whether we really need to execute the command via the sesh helper. What was left of selinux_setup() is now selinux_relabel_tty() and selinux_audit_role_change().
2021-11-05 12:33:20 -06:00
parent a336a8422f
commit e97fb5fd0b
6 changed files with 61 additions and 69 deletions
--- a/src/exec_nopty.c
+++ b/src/exec_nopty.c
@@ -392,12 +392,12 @@ exec_nopty(struct command_details *details, struct command_status *cstat)

 #ifdef HAVE_SELINUX
    if (ISSET(details->flags, CD_RBAC_ENABLED)) {
-        if (selinux_setup(details->selinux_role, details->selinux_type,
-		details->tty, -1, true) == -1) {
+        if (selinux_relabel_tty(details->tty, -1) == -1) {
 	    cstat->type = CMD_ERRNO;
 	    cstat->val = errno;
 	    debug_return;
 	}
+	selinux_audit_role_change();
    }
 #endif