summaryrefslogtreecommitdiff
path: root/src/core/execute.c
diff options
context:
space:
mode:
authorMichal Sekletar <msekleta@redhat.com>2014-11-12 13:53:27 +0100
committerLennart Poettering <lennart@poettering.net>2014-12-04 03:00:01 +0100
commit9008e1ac925afcdef7b45042c03fa5444f1c52c2 (patch)
treebf56221d70f9c3acc210058e98294ba9f058aaf2 /src/core/execute.c
parentfe0b9cd3ba25fb5063b6782983dde0a0c9915660 (diff)
selinux: figure out selinux context applied on exec() before closing all fds
We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument.
Diffstat (limited to 'src/core/execute.c')
-rw-r--r--src/core/execute.c31
1 files changed, 14 insertions, 17 deletions
diff --git a/src/core/execute.c b/src/core/execute.c
index ea745aa198..b7ac4c7b2b 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1238,6 +1238,7 @@ static int exec_child(ExecCommand *command,
int *error) {
_cleanup_strv_free_ char **our_env = NULL, **pam_env = NULL, **final_env = NULL, **final_argv = NULL;
+ _cleanup_free_ char *mac_selinux_context_net = NULL;
const char *username = NULL, *home = NULL, *shell = NULL;
unsigned n_dont_close = 0;
int dont_close[n_fds + 4];
@@ -1584,6 +1585,16 @@ static int exec_child(ExecCommand *command,
}
}
+#ifdef HAVE_SELINUX
+ if (params->apply_permissions && mac_selinux_use() && params->selinux_context_net && socket_fd >= 0) {
+ err = mac_selinux_get_child_mls_label(socket_fd, command->path, context->selinux_context, &mac_selinux_context_net);
+ if (err < 0) {
+ *error = EXIT_SELINUX_CONTEXT;
+ return err;
+ }
+ }
+#endif
+
/* We repeat the fd closing here, to make sure that
* nothing is leaked from the PAM modules. Note that
* we are more aggressive this time since socket_fd
@@ -1683,24 +1694,10 @@ static int exec_child(ExecCommand *command,
#ifdef HAVE_SELINUX
if (mac_selinux_use()) {
- if (context->selinux_context) {
- err = setexeccon(context->selinux_context);
- if (err < 0 && !context->selinux_context_ignore) {
- *error = EXIT_SELINUX_CONTEXT;
- return err;
- }
- }
-
- if (params->selinux_context_net && socket_fd >= 0) {
- _cleanup_free_ char *label = NULL;
-
- err = mac_selinux_get_child_mls_label(socket_fd, command->path, &label);
- if (err < 0) {
- *error = EXIT_SELINUX_CONTEXT;
- return err;
- }
+ char *exec_context = mac_selinux_context_net ?: context->selinux_context;
- err = setexeccon(label);
+ if (exec_context) {
+ err = setexeccon(exec_context);
if (err < 0) {
*error = EXIT_SELINUX_CONTEXT;
return err;