summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2015-11-11 12:55:32 +0100
committerLennart Poettering <lennart@poettering.net>2015-11-11 12:55:32 +0100
commit7fc04b12e0129cfedca05b13068e9c3aa7c3c196 (patch)
tree5982f0d898a41f7e2f70ab572a4dd7e4dbacb28e
parenta5642c7ee3dbd9aae07b531a81c0f02b3c2e1103 (diff)
sd-bus: don't try to acquire connection selinux label unless selinux is actually enabled
Otherwise we might end up mistaking a SMACK label for an selinux label. Also, fixes unexpect debug messages: http://lists.freedesktop.org/archives/systemd-devel/2015-November/034913.html
-rw-r--r--src/libsystemd/sd-bus/bus-control.c6
-rw-r--r--src/libsystemd/sd-bus/bus-socket.c9
2 files changed, 11 insertions, 4 deletions
diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c
index d5bc32e757..ddd3a55b6c 100644
--- a/src/libsystemd/sd-bus/bus-control.c
+++ b/src/libsystemd/sd-bus/bus-control.c
@@ -981,8 +981,12 @@ static int bus_get_owner_creds_kdbus(sd_bus *bus, uint64_t mask, sd_bus_creds **
static int bus_get_owner_creds_dbus1(sd_bus *bus, uint64_t mask, sd_bus_creds **ret) {
_cleanup_bus_creds_unref_ sd_bus_creds *c = NULL;
pid_t pid = 0;
+ bool do_label;
int r;
- bool do_label = bus->label && (mask & SD_BUS_CREDS_SELINUX_CONTEXT);
+
+ assert(bus);
+
+ do_label = bus->label && (mask & SD_BUS_CREDS_SELINUX_CONTEXT);
/* Avoid allocating anything if we have no chance of returning useful data */
if (!bus->ucred_valid && !do_label)
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index a5cb667630..25873dea1e 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -36,6 +36,7 @@
#include "hexdecoct.h"
#include "macro.h"
#include "missing.h"
+#include "selinux-util.h"
#include "signal-util.h"
#include "stdio-util.h"
#include "string-util.h"
@@ -608,9 +609,11 @@ static void bus_get_peercred(sd_bus *b) {
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
- r = getpeersec(b->input_fd, &b->label);
- if (r < 0 && r != -EOPNOTSUPP)
- log_debug_errno(r, "Failed to determine peer security context: %m");
+ if (mac_selinux_use()) {
+ r = getpeersec(b->input_fd, &b->label);
+ if (r < 0 && r != -EOPNOTSUPP)
+ log_debug_errno(r, "Failed to determine peer security context: %m");
+ }
}
static int bus_socket_start_auth_client(sd_bus *b) {