chiark / gitweb /
~ianmdlvl / elogind.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
selinux: Check access vector for enable/disable perm for each unit file
[elogind.git] / src / core / dbus-manager.c
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b7978e67005047b5f4eb3398c7059e37618d6102..38004a07fbb66e8abe59b0ac1e9cafef4fed4513 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
                 sd_bus_error *error) {
 
         _cleanup_strv_free_ char **l = NULL;
+        char **i;
         UnitFileChange *changes = NULL;
         unsigned n_changes = 0;
         UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
         assert(message);
         assert(m);
 
-        r = selinux_access_check(bus, message, verb, error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_read_strv(message, &l);
         if (r < 0)
                 return r;
 
+#ifdef HAVE_SELINUX
+        STRV_FOREACH(i, l) {
+                Unit *u;
+
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = selinux_unit_access_check(u, bus, message, verb, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
+#endif
+
         r = sd_bus_message_read(message, "bb", &runtime, &force);
         if (r < 0)
                 return r;
Unnamed repository; edit this file 'description' to name the repository.