X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fsocket.c;h=6ba8338d8b26ef00d905b779c45bf77e960e5483;hb=311f6cf33f6fd50921540875c3e6eb1ffd339124;hp=780015012f7cbcf934be7b7c3bd90422e12c06d3;hpb=d53e386db62ee7f03e7d493ae0e6db7a31a5d811;p=elogind.git diff --git a/src/core/socket.c b/src/core/socket.c index 780015012..6ba8338d8 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -967,7 +967,7 @@ static int fifo_address_create( mkdir_parents_label(path, directory_mode); - r = mac_selinux_context_set(path, S_IFIFO); + r = mac_selinux_create_file_prepare(path, S_IFIFO); if (r < 0) goto fail; @@ -990,7 +990,7 @@ static int fifo_address_create( goto fail; } - mac_selinux_context_clear(); + mac_selinux_create_file_clear(); if (fstat(fd, &st) < 0) { r = -errno; @@ -1010,7 +1010,7 @@ static int fifo_address_create( return 0; fail: - mac_selinux_context_clear(); + mac_selinux_create_file_clear(); safe_close(fd); return r; @@ -1120,7 +1120,7 @@ static int socket_symlink(Socket *s) { return 0; STRV_FOREACH(i, s->symlinks) - symlink(p, *i); + symlink_label(p, *i); return 0; } @@ -1139,22 +1139,33 @@ static int socket_open_fds(Socket *s) { continue; if (p->type == SOCKET_SOCKET) { - if (!know_label && s->selinux_context_from_net) { - r = mac_selinux_get_our_label(&label); - if (r < 0) - return r; - know_label = true; - } else if (!know_label) { - r = socket_instantiate_service(s); - if (r < 0) - return r; + if (!know_label) { + /* Figure out label, if we don't it know + * yet. We do it once, for the first + * socket where we need this and + * remember it for the rest. */ + + if (s->selinux_context_from_net) { + /* Get it from the network label */ + + r = mac_selinux_get_our_label(&label); + if (r < 0 && r != -EOPNOTSUPP) + goto rollback; - if (UNIT_ISSET(s->service) && - SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) { - r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label); - if (r < 0 && r != -EPERM) - return r; + } else { + /* Get it from the executable we are about to start */ + + r = socket_instantiate_service(s); + if (r < 0) + goto rollback; + + if (UNIT_ISSET(s->service) && + SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]) { + r = mac_selinux_get_create_label_from_exe(SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]->path, &label); + if (r < 0 && r != -EPERM && r != -EOPNOTSUPP) + goto rollback; + } } know_label = true; @@ -1219,6 +1230,7 @@ static int socket_open_fds(Socket *s) { rollback: socket_close_fds(s); mac_selinux_free(label); + return r; } @@ -1566,7 +1578,8 @@ static void socket_enter_signal(Socket *s, SocketState state, SocketResult f) { r = unit_kill_context( UNIT(s), &s->kill_context, - state != SOCKET_STOP_PRE_SIGTERM && state != SOCKET_FINAL_SIGTERM, + (state != SOCKET_STOP_PRE_SIGTERM && state != SOCKET_FINAL_SIGTERM) ? + KILL_KILL : KILL_TERMINATE, -1, s->control_pid, false);