exec: Add SELinuxContext configuration item

This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.

1 files changed, 27 insertions, 0 deletions

diff --git a/src/core/execute.c b/src/core/execute.c
index 91e4352f9a..c02c768c68 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -47,6 +47,10 @@
 #include <security/pam_appl.h>
 #endif
 
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "execute.h"
 #include "strv.h"
 #include "macro.h"
@@ -1564,6 +1568,20 @@ int exec_spawn(ExecCommand *command,
                                         goto fail_child;
                                 }
                         }
+#ifdef HAVE_SELINUX
+                        if (context->selinux_context) {
+                                err = security_check_context(context->selinux_context);
+                                if (err < 0) {
+                                        r = EXIT_SELINUX_CONTEXT;
+                                        goto fail_child;
+                                }
+                                err = setexeccon(context->selinux_context);
+                                if (err < 0) {
+                                        r = EXIT_SELINUX_CONTEXT;
+                                        goto fail_child;
+                                }
+                        }
+#endif
                 }
 
                 err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env);
@@ -1722,6 +1740,9 @@ void exec_context_done(ExecContext *c) {
         free(c->utmp_id);
         c->utmp_id = NULL;
 
+        free(c->selinux_context);
+        c->selinux_context = NULL;
+
         free(c->syscall_filter);
         c->syscall_filter = NULL;
 }
@@ -2091,6 +2112,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 fprintf(f,
                         "%sUtmpIdentifier: %s\n",
                         prefix, c->utmp_id);
+
+        if (c->selinux_context)
+                fprintf(f,
+                        "%sSELinuxContext: %s\n",
+                        prefix, c->selinux_context);
+
 }
 
 void exec_status_start(ExecStatus *s, pid_t pid) {