summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLubomir Rintel <lkundrak@v3.sk>2013-12-06 14:05:49 +0100
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2013-12-27 22:40:43 -0500
commit4f7385fa496242f06aaf358b66b28d71348607b3 (patch)
tree3cd44ce11ed2b82ea5bb14cd6410a775450c835a
parent08bcebf36eb85f5e75b968de8c648e6614cc534b (diff)
selinux: Check access vector for enable/disable perm for each unit file
SELinux check will be done using the context of the unit file as as a target instead of the default init_t context, allowing selinux control on the level of individual units. https://bugzilla.redhat.com/show_bug.cgi?id=1022762
-rw-r--r--src/core/dbus-manager.c18
1 files changed, 14 insertions, 4 deletions
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b7978e6700..38004a07fb 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
+ char **i;
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
assert(message);
assert(m);
- r = selinux_access_check(bus, message, verb, error);
- if (r < 0)
- return r;
-
r = sd_bus_message_read_strv(message, &l);
if (r < 0)
return r;
+#ifdef HAVE_SELINUX
+ STRV_FOREACH(i, l) {
+ Unit *u;
+
+ u = manager_get_unit(m, *i);
+ if (u) {
+ r = selinux_unit_access_check(u, bus, message, verb, error);
+ if (r < 0)
+ return r;
+ }
+ }
+#endif
+
r = sd_bus_message_read(message, "bb", &runtime, &force);
if (r < 0)
return r;