core: make SELinux enable/disable check symmetric

We'd use the generic check for disable, and a unit-file-specific one for enable.
Use the more specific one both ways.

systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:system_r:init_t:s0 tclass=system perm=disable path=(null) cmdline=/usr/lib/systemd/systemd-timedated: -13
systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:object_r:systemd_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline=/usr/lib/systemd/systemd-timedated: -13

https://bugzilla.redhat.com/show_bug.cgi?id=1014315

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 76901c7f11a7739fc0df3ee54c76d1719a70ed33..1b26e5556ad0973f6644e153f67de62b4addfae3 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1799,15 +1799,15 @@ static int method_disable_unit_files_generic(
         assert(message);
         assert(m);
 
-        r = mac_selinux_access_check(message, verb, error);
+        r = sd_bus_message_read_strv(message, &l);
         if (r < 0)
                 return r;
 
-        r = sd_bus_message_read_strv(message, &l);
+        r = sd_bus_message_read(message, "b", &runtime);
         if (r < 0)
                 return r;
 
-        r = sd_bus_message_read(message, "b", &runtime);
+        r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
         if (r < 0)
                 return r;