chiark / gitweb /
exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like...
authorMichael Scherer <misc@zarb.org>
Thu, 6 Feb 2014 09:05:18 +0000 (10:05 +0100)
committerLennart Poettering <lennart@poettering.net>
Mon, 10 Feb 2014 12:18:16 +0000 (13:18 +0100)
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.

man/systemd.exec.xml
src/core/execute.c

index 4281c03..ecf48a7 100644 (file)
                                 <listitem><para>Set the SELinux context of the
                                 executed process. If set, this will override the
                                 automated domain transition. However, the policy
-                                still need to autorize the transition. See
+                                still need to autorize the transition. This directive
+                                is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
+                                all errors will be ignored. See
                                 <citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
                                 for details.</para></listitem>
                         </varlistentry>
index 474a4af..4370654 100644 (file)
@@ -72,6 +72,7 @@
 #include "fileio.h"
 #include "unit.h"
 #include "async.h"
+#include "selinux-util.h"
 
 #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
 #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
@@ -1570,13 +1571,18 @@ int exec_spawn(ExecCommand *command,
                         }
 #ifdef HAVE_SELINUX
                         if (context->selinux_context && use_selinux()) {
-                                err = security_check_context(context->selinux_context);
-                                if (err < 0) {
-                                        r = EXIT_SELINUX_CONTEXT;
-                                        goto fail_child;
-                                }
-                                err = setexeccon(context->selinux_context);
-                                if (err < 0) {
+                                bool ignore;
+                                char* c;
+
+                                c = context->selinux_context;
+                                if (c[0] == '-') {
+                                        c++;
+                                        ignore = true;
+                                } else
+                                        ignore = false;
+
+                                err = setexeccon(c);
+                                if (err < 0 && !ignore) {
                                         r = EXIT_SELINUX_CONTEXT;
                                         goto fail_child;
                                 }