diff options
| author | David Herrmann <dh.herrmann@gmail.com> | 2015-08-27 16:23:47 +0200 |
|---|---|---|
| committer | David Herrmann <dh.herrmann@gmail.com> | 2015-08-27 16:29:01 +0200 |
| commit | 8faae625dc9b6322db452937f54176e56e65265a (patch) | |
| tree | 6d8bb83e521173ce69453e465858415b253a038e /src/core/dbus-manager.c | |
| parent | 19bee5c3674cda184443509b49b9415f599349ab (diff) | |
selinux: drop mac_selinux_unit_access_check_strv()
It is not acceptable to load unit files during enable/disable operations
just to figure out the selinux labels. systemd implements lazy loading
for units, so the selinux hooks need to follow it.
This drops the mac_selinux_unit_access_check_strv() helper which
implements a non-acceptable policy check. If anyone cares for that
functionality, you really should pass a callback+userdata to the helpers
in src/shared/install.c which does policy checks on each touched file.
See #1050 on github for more.
Diffstat (limited to 'src/core/dbus-manager.c')
| -rw-r--r-- | src/core/dbus-manager.c | 16 |
1 files changed, 0 insertions, 16 deletions
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index 5722e3c2bb..0b365391ec 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -1650,10 +1650,6 @@ static int method_enable_unit_files_generic( if (r < 0) return r; - r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); - if (r < 0) - return r; - r = bus_verify_manage_unit_files_async(m, message, error); if (r < 0) return r; @@ -1723,10 +1719,6 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use return -EINVAL; } - r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); - if (r < 0) - return r; - r = bus_verify_manage_unit_files_async(m, message, error); if (r < 0) return r; @@ -1766,10 +1758,6 @@ static int method_disable_unit_files_generic( if (r < 0) return r; - r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); - if (r < 0) - return r; - scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; r = bus_verify_manage_unit_files_async(m, message, error); @@ -1902,10 +1890,6 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd if (dep < 0) return -EINVAL; - r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); - if (r < 0) - return r; - scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); |