***/
#include <errno.h>
-#include <unistd.h>
#include <malloc.h>
#include <sys/un.h>
return;
selabel_close(label_hnd);
+ label_hnd = NULL;
#endif
}
r = lsetfilecon(path, fcon);
/* If the FS doesn't support labels, then exit without warning */
- if (r < 0 && errno == ENOTSUP)
+ if (r < 0 && errno == EOPNOTSUPP)
return 0;
}
}
return r;
}
-int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
+int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
int r = -EOPNOTSUPP;
#ifdef HAVE_SELINUX
if (r < 0)
return -errno;
- r = getexeccon(&fcon);
- if (r < 0)
- return -errno;
-
- if (!fcon) {
+ if (!exec_label) {
/* If there is no context set for next exec let's use context
of target executable */
r = getfilecon(exe, &fcon);
r = selabel_lookup_raw(label_hnd, &filecon, newpath, mode);
}
- if (r < 0 && errno != ENOENT)
+ /* No context specified by the policy? Proceed without setting it. */
+ if (r < 0 && errno == ENOENT)
+ return 0;
+
+ if (r < 0)
r = -errno;
- else if (r == 0) {
+ else {
r = setfscreatecon(filecon);
if (r < 0) {
log_enforcing("Failed to set SELinux security context %s for %s: %m", filecon, path);