diff options
| author | Michael Scherer <misc@zarb.org> | 2014-02-06 10:05:18 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-02-10 13:18:16 +0100 |
| commit | 0d3f7bb3a5bc6d5c0712f88a080fed388981bca3 (patch) | |
| tree | 34dc9f0f4b3d794bafc0b7ed04c8d2fe3988754c /src | |
| parent | 5c56a259e07661a66e806cc2fbc71de96a75f78e (diff) | |
exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
Diffstat (limited to 'src')
| -rw-r--r-- | src/core/execute.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index 474a4af895..437065465d 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -72,6 +72,7 @@ #include "fileio.h" #include "unit.h" #include "async.h" +#include "selinux-util.h" #define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC) #define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC) @@ -1570,13 +1571,18 @@ int exec_spawn(ExecCommand *command, } #ifdef HAVE_SELINUX if (context->selinux_context && use_selinux()) { - err = security_check_context(context->selinux_context); - if (err < 0) { - r = EXIT_SELINUX_CONTEXT; - goto fail_child; - } - err = setexeccon(context->selinux_context); - if (err < 0) { + bool ignore; + char* c; + + c = context->selinux_context; + if (c[0] == '-') { + c++; + ignore = true; + } else + ignore = false; + + err = setexeccon(c); + if (err < 0 && !ignore) { r = EXIT_SELINUX_CONTEXT; goto fail_child; } |