diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-08-19 19:16:08 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-08-19 19:16:08 +0200 |
| commit | 3bb07b7680c543c982077ac075abe8badeb46ca1 (patch) | |
| tree | 958ea1a7da76d0cb817c30f2b6d1abad41e0691f /src/core | |
| parent | 8530dc4467691a893aa2e07319b18a84fec96cad (diff) | |
Revert "socket: introduce SELinuxLabelViaNet option"
This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec.
Needs more discussion on the mailing list.
Diffstat (limited to 'src/core')
| -rw-r--r-- | src/core/execute.c | 23 | ||||
| -rw-r--r-- | src/core/execute.h | 1 | ||||
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 3 | ||||
| -rw-r--r-- | src/core/socket.c | 22 | ||||
| -rw-r--r-- | src/core/socket.h | 2 |
5 files changed, 5 insertions, 46 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 129791294e..d8452a666c 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,7 +83,6 @@ #include "af-list.h" #include "mkdir.h" #include "apparmor-util.h" -#include "label.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -1730,22 +1729,6 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } - - if (context->selinux_label_via_net && use_selinux()) { - _cleanup_free_ char *label = NULL; - - err = label_get_child_label(socket_fd, command->path, &label); - if (err < 0) { - r = EXIT_SELINUX_CONTEXT; - goto fail_child; - } - - err = setexeccon(label); - if (err < 0) { - r = EXIT_SELINUX_CONTEXT; - goto fail_child; - } - } #endif #ifdef HAVE_APPARMOR @@ -2129,8 +2112,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateDevices: %s\n" "%sProtectHome: %s\n" "%sProtectSystem: %s\n" - "%sIgnoreSIGPIPE: %s\n" - "%sSELinuxLabelViaNet: %s\n", + "%sIgnoreSIGPIPE: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", @@ -2140,8 +2122,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_devices), prefix, protect_home_to_string(c->protect_home), prefix, protect_system_to_string(c->protect_system), - prefix, yes_no(c->ignore_sigpipe), - prefix, yes_no(c->selinux_label_via_net)); + prefix, yes_no(c->ignore_sigpipe)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); diff --git a/src/core/execute.h b/src/core/execute.h index d23a98097a..9d05d3a9de 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -136,7 +136,6 @@ struct ExecContext { bool selinux_context_ignore; char *selinux_context; - bool selinux_label_via_net; bool apparmor_profile_ignore; char *apparmor_profile; diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index d5ff848c33..b4e2b25743 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -262,9 +262,6 @@ Socket.SmackLabelIPOut, config_parse_string, 0, `Socket.SmackLabel, config_parse_warn_compat, 0, 0 Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0 Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0') -m4_ifdef(`HAVE_SELINUX', -`Socket.SELinuxLabelViaNet, config_parse_bool, 0, offsetof(Socket, selinux_label_via_net)', -`Socket.SELinuxLabelViaNet, config_parse_warn_compat, 0, 0') EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl diff --git a/src/core/socket.c b/src/core/socket.c index 34ce1b1ffd..a16b20d739 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -31,10 +31,6 @@ #include <mqueue.h> #include <sys/xattr.h> -#ifdef HAVE_SELINUX -#include <selinux/selinux.h> -#endif - #include "sd-event.h" #include "log.h" #include "load-dropin.h" @@ -492,8 +488,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { "%sPassCredentials: %s\n" "%sPassSecurity: %s\n" "%sTCPCongestion: %s\n" - "%sRemoveOnStop: %s\n" - "%sSELinuxLabelViaNet: %s\n", + "%sRemoveOnStop: %s\n", prefix, socket_state_to_string(s->state), prefix, socket_result_to_string(s->result), prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only), @@ -508,8 +503,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { prefix, yes_no(s->pass_cred), prefix, yes_no(s->pass_sec), prefix, strna(s->tcp_congestion), - prefix, yes_no(s->remove_on_stop), - prefix, yes_no(s->selinux_label_via_net)); + prefix, yes_no(s->remove_on_stop)); if (s->control_pid > 0) fprintf(f, @@ -1136,14 +1130,7 @@ static int socket_open_fds(Socket *s) { continue; if (p->type == SOCKET_SOCKET) { -#ifdef HAVE_SELINUX - if (!know_label && s->selinux_label_via_net) { - r = getcon(&label); - if (r < 0) - return r; - know_label = true; - } -#endif + if (!know_label) { r = socket_instantiate_service(s); @@ -1842,9 +1829,6 @@ static void socket_enter_running(Socket *s, int cfd) { cfd = -1; s->n_connections ++; - if (s->selinux_label_via_net) - service->exec_context.selinux_label_via_net = true; - r = manager_add_job(UNIT(s)->manager, JOB_START, UNIT(service), JOB_REPLACE, true, &error, NULL); if (r < 0) goto fail; diff --git a/src/core/socket.h b/src/core/socket.h index ab342c34e8..eede70564a 100644 --- a/src/core/socket.h +++ b/src/core/socket.h @@ -165,8 +165,6 @@ struct Socket { char *smack_ip_in; char *smack_ip_out; - bool selinux_label_via_net; - char *user, *group; }; |