label: Introduce LabelOps to do pre/post labelling operations

By default, label_ops is initialized with a NULL pointer which translates
to noop labelling operations. In mac_selinux_init() and the new mac_smack_init(),
we initialize label_ops with a MAC specific LabelOps pointer.

We also introduce mac_init() to initialize any configured MACs and replace all
usages of mac_selinux_init() with mac_init().

1 files changed, 18 insertions, 0 deletions

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index cc00a85952..a38a56f434 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -20,6 +20,7 @@
 #include "alloc-util.h"
 #include "errno-util.h"
 #include "fd-util.h"
+#include "label.h"
 #include "log.h"
 #include "macro.h"
 #include "mallinfo-util.h"
@@ -54,6 +55,15 @@ static bool have_status_page = false;
                         : -ERRNO_VALUE(_e);                             \
                 _enforcing ? _r : 0;                                    \
         })
+
+static int mac_selinux_label_pre(int dir_fd, const char *path, mode_t mode) {
+        return mac_selinux_create_file_prepare_at(dir_fd, path, mode);
+}
+
+static int mac_selinux_label_post(int dir_fd, const char *path) {
+        mac_selinux_create_file_clear();
+        return 0;
+}
 #endif
 
 bool mac_selinux_use(void) {
@@ -128,6 +138,10 @@ static int open_label_db(void) {
 
 int mac_selinux_init(void) {
 #if HAVE_SELINUX
+        static const LabelOps label_ops = {
+                .pre = mac_selinux_label_pre,
+                .post = mac_selinux_label_post,
+        };
         int r;
 
         if (initialized)
@@ -152,6 +166,10 @@ int mac_selinux_init(void) {
                 return r;
         }
 
+        r = label_ops_set(&label_ops);
+        if (r < 0)
+                return r;
+
         /* Save the current policyload sequence number, so mac_selinux_maybe_reload() does not trigger on
          * first call without any actual change. */
         last_policyload = selinux_status_policyload();