selinux: Check access vector for enable/disable perm for each unit file

SELinux check will be done using the context of the unit file as as a
target instead of the default init_t context, allowing selinux control
on the level of individual units.

https://bugzilla.redhat.com/show_bug.cgi?id=1022762

1 files changed, 14 insertions, 4 deletions

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b7978e6700..38004a07fb 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
                 sd_bus_error *error) {
 
         _cleanup_strv_free_ char **l = NULL;
+        char **i;
         UnitFileChange *changes = NULL;
         unsigned n_changes = 0;
         UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
         assert(message);
         assert(m);
 
-        r = selinux_access_check(bus, message, verb, error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_read_strv(message, &l);
         if (r < 0)
                 return r;
 
+#ifdef HAVE_SELINUX
+        STRV_FOREACH(i, l) {
+                Unit *u;
+
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = selinux_unit_access_check(u, bus, message, verb, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
+#endif
+
         r = sd_bus_message_read(message, "bb", &runtime, &force);
         if (r < 0)
                 return r;