From dfe95bd08b2419826cf82b8fcdcc7b6ef3cead18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Tue, 13 Apr 2021 14:13:11 +0200
Subject: [PATCH] selinux: only open selabel database once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Once opened, keep the selabel database open for further lookups.
Register an exit handler to close the database.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 lib/selinux.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/lib/selinux.c b/lib/selinux.c
index 719acda3..28ca5fff 100644
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -40,6 +40,15 @@
 
 static bool selinux_checked = false;
 static bool selinux_enabled;
+static /*@null@*/struct selabel_handle *selabel_hnd = NULL;
+
+static void cleanup(void)
+{
+	if (selabel_hnd) {
+		selabel_close(selabel_hnd);
+		selabel_hnd = NULL;
+	}
+}
 
 /*
  * set_selinux_file_context - Set the security context before any file or
@@ -62,16 +71,17 @@ int set_selinux_file_context (const char *dst_name, mode_t mode)
 		/* Get the default security context for this file */
 
 		/*@null@*/char *fcontext_raw = NULL;
-		struct selabel_handle *hnd;
 		int r;
 
-		hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-		if (hnd == NULL) {
-			return security_getenforce () != 0;
+		if (selabel_hnd == NULL) {
+			selabel_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+			if (selabel_hnd == NULL) {
+				return security_getenforce () != 0;
+			}
+			(void) atexit(cleanup);
 		}
 
-		r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, mode);
-		selabel_close(hnd);
+		r = selabel_lookup_raw(selabel_hnd, &fcontext_raw, dst_name, mode);
 		if (r < 0) {
 			/* No context specified for the searched path */
 			if (errno == ENOENT) {