selinux: figure out selinux context applied on exec() before closing all fds

We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument. Signed-off-by: Anthony G. Basile <blueness@gentoo.org>
author: Michal Sekletar <msekleta@redhat.com> 2014-11-12 13:53:27 +0100
committer: Anthony G. Basile <blueness@gentoo.org> 2014-12-04 17:37:10 -0500
commit: a2e46b539b55e3115af65ae7a4c36e80a2ae6abc (patch)
tree: c454ceac6906cad69a2045d4d86854e325d945f6 /src/shared/selinux-util.c
parent: a0d05ead08a9dd4b0432889f10f41c53966dc13f (diff)
1 files changed, 2 insertions, 6 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index a374c277a8..7f8cc0eb76 100644
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -231,7 +231,7 @@ int mac_selinux_get_our_label(char **label) {
         return r;
 }
 
-int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) {
+int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) {
         int r = -EOPNOTSUPP;
 
 #ifdef HAVE_SELINUX
@@ -255,11 +255,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label
         if (r < 0)
                 return -errno;
 
-        r = getexeccon(&fcon);
-        if (r < 0)
-                return -errno;
-
-        if (!fcon) {
+        if (!exec_label) {
                 /* If there is no context set for next exec let's use context
                    of target executable */
                 r = getfilecon(exe, &fcon);
author	Michal Sekletar <msekleta@redhat.com>	2014-11-12 13:53:27 +0100
committer	Anthony G. Basile <blueness@gentoo.org>	2014-12-04 17:37:10 -0500
commit	a2e46b539b55e3115af65ae7a4c36e80a2ae6abc (patch)
tree	c454ceac6906cad69a2045d4d86854e325d945f6 /src/shared/selinux-util.c
parent	a0d05ead08a9dd4b0432889f10f41c53966dc13f (diff)