selinux: Begin and end the transaction on the same nesting level

Transaction should be started and commited on the same code nesting or
abstraction level. Also, transactions are really costly with libselinux
and splitting them from initialization will make init function reusable
by read-only libsemanage functions.

Reviewed-by: Michal Židek <mzidek@redhat.com>

1 files changed, 14 insertions, 6 deletions

diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index d141de1c6..c0342498c 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -109,12 +109,6 @@ static semanage_handle_t *sss_semanage_init(void)
         goto fail;
     }
 
-    ret = semanage_begin_transaction(handle);
-    if (ret != 0) {
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
-        goto fail;
-    }
-
     return handle;
 fail:
     sss_semanage_close(handle);
@@ -243,6 +237,13 @@ int set_seuser(const char *login_name, const char *seuser_name,
         goto done;
     }
 
+    ret = semanage_begin_transaction(handle);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
+        ret = EIO;
+        goto done;
+    }
+
     ret = semanage_seuser_key_create(handle, login_name, &key);
     if (ret != 0) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
@@ -303,6 +304,13 @@ int del_seuser(const char *login_name)
         goto done;
     }
 
+    ret = semanage_begin_transaction(handle);
+    if (ret != 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
+        ret = EIO;
+        goto done;
+    }
+
     ret = semanage_seuser_key_create(handle, login_name, &key);
     if (ret != 0) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");