diff options
author | Michal Sekletar <msekleta@redhat.com> | 2014-11-12 13:53:27 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-12-04 03:00:01 +0100 |
commit | 9008e1ac925afcdef7b45042c03fa5444f1c52c2 (patch) | |
tree | bf56221d70f9c3acc210058e98294ba9f058aaf2 /src/shared | |
parent | fe0b9cd3ba25fb5063b6782983dde0a0c9915660 (diff) |
selinux: figure out selinux context applied on exec() before closing all fds
We need original socket_fd around otherwise mac_selinux_get_child_mls_label
fails with -EINVAL return code. Also don't call setexeccon twice but rather pass
context value of SELinuxContext option as an extra argument.
Diffstat (limited to 'src/shared')
-rw-r--r-- | src/shared/selinux-util.c | 8 | ||||
-rw-r--r-- | src/shared/selinux-util.h | 2 |
2 files changed, 3 insertions, 7 deletions
diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index 6bd3bf1c80..a2233e0cfb 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -233,7 +233,7 @@ int mac_selinux_get_our_label(char **label) { return r; } -int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) { +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) { int r = -EOPNOTSUPP; #ifdef HAVE_SELINUX @@ -257,11 +257,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label if (r < 0) return -errno; - r = getexeccon(&fcon); - if (r < 0) - return -errno; - - if (!fcon) { + if (!exec_label) { /* If there is no context set for next exec let's use context of target executable */ r = getfilecon(exe, &fcon); diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h index 7ff8c607b4..a694441000 100644 --- a/src/shared/selinux-util.h +++ b/src/shared/selinux-util.h @@ -36,7 +36,7 @@ int mac_selinux_apply(const char *path, const char *label); int mac_selinux_get_create_label_from_exe(const char *exe, char **label); int mac_selinux_get_our_label(char **label); -int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label); +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label); void mac_selinux_free(char *label); int mac_selinux_create_file_prepare(const char *path, mode_t mode); |