X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fsocket.c;fp=src%2Fcore%2Fsocket.c;h=e9cf7b3e933c8a1b40831b91389f7e0d6a8a5797;hb=7f416dae9bcf1cfb63689ee9ac851adf738f072b;hp=780015012f7cbcf934be7b7c3bd90422e12c06d3;hpb=376a2980960baba22b9bee6b227c27c373215b5a;p=elogind.git diff --git a/src/core/socket.c b/src/core/socket.c index 780015012..e9cf7b3e9 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1139,22 +1139,33 @@ static int socket_open_fds(Socket *s) { continue; if (p->type == SOCKET_SOCKET) { - if (!know_label && s->selinux_context_from_net) { - r = mac_selinux_get_our_label(&label); - if (r < 0) - return r; - know_label = true; - } else if (!know_label) { - r = socket_instantiate_service(s); - if (r < 0) - return r; + if (!know_label) { + /* Figure out label, if we don't it know + * yet. We do it once, for the first + * socket where we need this and + * remember it for the rest. */ + + if (s->selinux_context_from_net) { + /* Get it from the network label */ + + r = mac_selinux_get_our_label(&label); + if (r < 0 && r != EOPNOTSUPP) + goto rollback; - if (UNIT_ISSET(s->service) && - SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) { - r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label); - if (r < 0 && r != -EPERM) - return r; + } else { + /* Get it from the executable we are about to start */ + + r = socket_instantiate_service(s); + if (r < 0) + goto rollback; + + if (UNIT_ISSET(s->service) && + SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) { + r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label); + if (r < 0 && r != -EPERM && r != EOPNOTSUPP) + goto rollback; + } } know_label = true; @@ -1219,6 +1230,7 @@ static int socket_open_fds(Socket *s) { rollback: socket_close_fds(s); mac_selinux_free(label); + return r; }