diff options
author | Lubomir Rintel <lkundrak@v3.sk> | 2013-12-06 14:05:49 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2013-12-27 22:40:43 -0500 |
commit | 4f7385fa496242f06aaf358b66b28d71348607b3 (patch) | |
tree | 3cd44ce11ed2b82ea5bb14cd6410a775450c835a | |
parent | 08bcebf36eb85f5e75b968de8c648e6614cc534b (diff) |
selinux: Check access vector for enable/disable perm for each unit file
SELinux check will be done using the context of the unit file as as a
target instead of the default init_t context, allowing selinux control
on the level of individual units.
https://bugzilla.redhat.com/show_bug.cgi?id=1022762
-rw-r--r-- | src/core/dbus-manager.c | 18 |
1 files changed, 14 insertions, 4 deletions
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index b7978e6700..38004a07fb 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic( sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; + char **i; UnitFileChange *changes = NULL; unsigned n_changes = 0; UnitFileScope scope; @@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic( assert(message); assert(m); - r = selinux_access_check(bus, message, verb, error); - if (r < 0) - return r; - r = sd_bus_message_read_strv(message, &l); if (r < 0) return r; +#ifdef HAVE_SELINUX + STRV_FOREACH(i, l) { + Unit *u; + + u = manager_get_unit(m, *i); + if (u) { + r = selinux_unit_access_check(u, bus, message, verb, error); + if (r < 0) + return r; + } + } +#endif + r = sd_bus_message_read(message, "bb", &runtime, &force); if (r < 0) return r; |