Merge pull request #2493 from evverx/fix-selinux-checks

Fix selinux check for ReloadUnit

3 files changed, 25 insertions, 7 deletions

diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 386ea96d1b..dca9f77528 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -458,7 +458,10 @@ int bus_unit_method_start_generic(
         assert(u);
         assert(job_type >= 0 && job_type < _JOB_TYPE_MAX);
 
-        r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error);
+        r = mac_selinux_unit_access_check(
+                        u, message,
+                        job_type_to_access_method(job_type),
+                        error);
         if (r < 0)
                 return r;
 
@@ -983,6 +986,13 @@ int bus_unit_queue_job(
         assert(type >= 0 && type < _JOB_TYPE_MAX);
         assert(mode >= 0 && mode < _JOB_MODE_MAX);
 
+        r = mac_selinux_unit_access_check(
+                        u, message,
+                        job_type_to_access_method(type),
+                        error);
+        if (r < 0)
+                return r;
+
         if (reload_if_possible && unit_can_reload(u)) {
                 if (type == JOB_RESTART)
                         type = JOB_RELOAD_OR_START;
@@ -990,12 +1000,6 @@ int bus_unit_queue_job(
                         type = JOB_TRY_RELOAD;
         }
 
-        r = mac_selinux_unit_access_check(
-                        u, message,
-                        (type == JOB_START || type == JOB_RESTART || type == JOB_TRY_RESTART) ? "start" :
-                        type == JOB_STOP ? "stop" : "reload", error);
-        if (r < 0)
-                return r;
 
         if (type == JOB_STOP &&
             (u->load_state == UNIT_NOT_FOUND || u->load_state == UNIT_ERROR) &&
diff --git a/src/core/job.c b/src/core/job.c
index 4e111ffb46..d8fdf1b53f 100644
--- a/src/core/job.c
+++ b/src/core/job.c
@@ -1240,3 +1240,15 @@ static const char* const job_result_table[_JOB_RESULT_MAX] = {
 };
 
 DEFINE_STRING_TABLE_LOOKUP(job_result, JobResult);
+
+const char* job_type_to_access_method(JobType t) {
+        assert(t >= 0);
+        assert(t < _JOB_TYPE_MAX);
+
+        if (IN_SET(t, JOB_START, JOB_RESTART, JOB_TRY_RESTART))
+                return "start";
+        else if (t == JOB_STOP)
+                return "stop";
+        else
+                return "reload";
+}
diff --git a/src/core/job.h b/src/core/job.h
index 52866fdc48..bbf5471e8b 100644
--- a/src/core/job.h
+++ b/src/core/job.h
@@ -240,3 +240,5 @@ const char* job_result_to_string(JobResult t) _const_;
 JobResult job_result_from_string(const char *s) _pure_;
 
 int job_get_timeout(Job *j, uint64_t *timeout) _pure_;
+
+const char* job_type_to_access_method(JobType t);