GitLab

upstream commit 685f4aeeadc0b60f3770404d4f149610d656e3c8.

SELinux can be disabled via the selinux=0 kernel parameter or via
/sys/fs/selinux/disable (triggered by setting SELINUX=disabled in
/etc/selinux/config).  In either case, selinuxfs will be unmounted
and unregistered and therefore it is sufficient to check for the
selinuxfs mount.  We do not need to check for no-policy-loaded and
treat that as SELinux-disabled anymore; that is a relic of Fedora Core 2
days.  Drop the no-policy-loaded test, which was a bit of a hack anyway
(checking whether getcon_raw() returned "kernel" as that can only happen
if no policy is yet loaded and therefore security_sid_to_context() only
has the initial SID name available to return as the context).

May possibly fix https://bugzilla.redhat.com/show_bug.cgi?id=1195074


by virtue of removing the call to getcon_raw() and therefore avoiding
use of tls on is_selinux_enabled() calls.  Regardless, it will make
is_selinux_enabled() faster and simpler.

[sds:  Adapted for the Android libselinux port.  Also drops the
fallback to scanning /proc/filesystems for selinuxfs as this was
already done upstream; init mounts selinuxfs via libselinux prior to any
is_selinux_enabled() checks.  The tls bug is not relevant in Android
since the Android libselinux port does not use tls, but this change
is nonetheless useful to optimize is_selinux_enabled().]

Change-Id: Ia8b484a3a2fe7f604b0bfb8f5b109ad7674c1152
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>