chiark / gitweb /
selinux: Check access vector for enable/disable perm for each unit file
authorLubomir Rintel <lkundrak@v3.sk>
Fri, 6 Dec 2013 13:05:49 +0000 (14:05 +0100)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Sat, 28 Dec 2013 03:40:43 +0000 (22:40 -0500)
SELinux check will be done using the context of the unit file as as a
target instead of the default init_t context, allowing selinux control
on the level of individual units.

https://bugzilla.redhat.com/show_bug.cgi?id=1022762

src/core/dbus-manager.c

index b7978e6..38004a0 100644 (file)
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
                 sd_bus_error *error) {
 
         _cleanup_strv_free_ char **l = NULL;
+        char **i;
         UnitFileChange *changes = NULL;
         unsigned n_changes = 0;
         UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
         assert(message);
         assert(m);
 
-        r = selinux_access_check(bus, message, verb, error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_read_strv(message, &l);
         if (r < 0)
                 return r;
 
+#ifdef HAVE_SELINUX
+        STRV_FOREACH(i, l) {
+                Unit *u;
+
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = selinux_unit_access_check(u, bus, message, verb, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
+#endif
+
         r = sd_bus_message_read(message, "bb", &runtime, &force);
         if (r < 0)
                 return r;