diff options
| author | David Herrmann <dh.herrmann@gmail.com> | 2015-08-27 16:23:47 +0200 |
|---|---|---|
| committer | David Herrmann <dh.herrmann@gmail.com> | 2015-08-27 16:29:01 +0200 |
| commit | 8faae625dc9b6322db452937f54176e56e65265a (patch) | |
| tree | 6d8bb83e521173ce69453e465858415b253a038e /src/core/selinux-access.c | |
| parent | 19bee5c3674cda184443509b49b9415f599349ab (diff) | |
selinux: drop mac_selinux_unit_access_check_strv()
It is not acceptable to load unit files during enable/disable operations
just to figure out the selinux labels. systemd implements lazy loading
for units, so the selinux hooks need to follow it.
This drops the mac_selinux_unit_access_check_strv() helper which
implements a non-acceptable policy check. If anyone cares for that
functionality, you really should pass a callback+userdata to the helpers
in src/shared/install.c which does policy checks on each touched file.
See #1050 on github for more.
Diffstat (limited to 'src/core/selinux-access.c')
| -rw-r--r-- | src/core/selinux-access.c | 27 |
1 files changed, 0 insertions, 27 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index 2ecfa40974..f920c2e2cd 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -289,30 +289,3 @@ finish: return 0; #endif } - -int mac_selinux_unit_access_check_strv( - char **units, - sd_bus_message *message, - Manager *m, - const char *permission, - sd_bus_error *error) { - -#ifdef HAVE_SELINUX - char **i; - Unit *u; - int r; - - STRV_FOREACH(i, units) { - if (is_path(*i)) - r = manager_load_unit(m, NULL, *i, error, &u); - else - r = manager_load_unit(m, *i, NULL, error, &u); - if (r < 0) - return r; - r = mac_selinux_unit_access_check(u, message, permission, error); - if (r < 0) - return r; - } -#endif - return 0; -} |