diff options
-rw-r--r-- | man/systemd-nspawn.xml | 8 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 46 |
2 files changed, 27 insertions, 27 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index 08b0457d16..c5d90c4233 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -253,9 +253,9 @@ <term><option>--file-label=</option></term> <listitem><para>Sets the mandatory - access control (MAC) file label to be - used by tmpfs file systems in the - container.</para> + access control (MAC/SELinux) file + label to be used by virtual API file + systems in the container.</para> </listitem> </varlistentry> @@ -264,7 +264,7 @@ <term><option>--process-label=</option></term> <listitem><para>Sets the mandatory - access control (MAC) label to be used by + access control (MAC/SELinux) label to be used by processes in the container.</para> </listitem> </varlistentry> diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index c91f6cce21..cd63bf6a7f 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -80,8 +80,8 @@ static char *arg_directory = NULL; static char *arg_user = NULL; static sd_id128_t arg_uuid = {}; static char *arg_machine = NULL; -static char *process_label = NULL; -static char *file_label = NULL; +static char *arg_process_label = NULL; +static char *arg_file_label = NULL; static const char *arg_slice = NULL; static bool arg_private_network = false; static bool arg_read_only = false; @@ -130,8 +130,10 @@ static int help(void) { " --uuid=UUID Set a specific machine UUID for the container\n" " -M --machine=NAME Set the machine name for the container\n" " -S --slice=SLICE Place the container in the specified slice\n" - " -L --file-label=LABEL Set the MAC file label to be used by tmpfs file systems in container\n" - " -Z --process-label=LABEL Set the MAC label to be used by processes in container\n" + " -L --file-label=LABEL Set the MAC file label to be used by tmpfs file\n" + " systems in the container\n" + " -Z --process-label=LABEL Set the MAC label to be used by processes in\n" + " the container\n" " --private-network Disable network in container\n" " --read-only Mount the root directory read-only\n" " --capability=CAP In addition to the default, retain specified\n" @@ -257,17 +259,11 @@ static int parse_argv(int argc, char *argv[]) { break; case 'L': - file_label = strdup(optarg); - if (!file_label) - return log_oom(); - + arg_file_label = optarg; break; case 'Z': - process_label = strdup(optarg); - if (!process_label) - return log_oom(); - + arg_process_label = optarg; break; case ARG_READ_ONLY: @@ -419,7 +415,10 @@ static int mount_all(const char *dest) { for (k = 0; k < ELEMENTSOF(mount_table); k++) { _cleanup_free_ char *where = NULL; +#ifdef HAVE_SELINUX _cleanup_free_ char *options = NULL; +#endif + const char *o; int t; where = strjoin(dest, "/", mount_table[k].where, NULL); @@ -443,21 +442,22 @@ static int mount_all(const char *dest) { mkdir_p(where, 0755); #ifdef HAVE_SELINUX - if (file_label && (streq_ptr(mount_table[k].what, "tmpfs") || - streq_ptr(mount_table[k].what, "devpts"))) - options = strjoin(mount_table[k].options, ",context=\"", file_label, "\"", NULL); - else + if (arg_file_label && (streq_ptr(mount_table[k].what, "tmpfs") || streq_ptr(mount_table[k].what, "devpts"))) { + options = strjoin(mount_table[k].options, ",context=\"", arg_file_label, "\"", NULL); + if (!options) + return log_oom(); + + o = options; + } else #endif - options = strjoin(mount_table[k].options, NULL); + o = mount_table[k].options; - if (!options) - return log_oom(); if (mount(mount_table[k].what, where, mount_table[k].type, mount_table[k].flags, - options) < 0 && + o) < 0 && mount_table[k].fatal) { log_error("mount(%s) failed: %m", where); @@ -1527,9 +1527,9 @@ int main(int argc, char *argv[]) { env_use = (char**) envp; #if HAVE_SELINUX - if (process_label) - if (setexeccon(process_label) < 0) - log_error("setexeccon(\"%s\") failed: %m", process_label); + if (arg_process_label) + if (setexeccon(arg_process_label) < 0) + log_error("setexeccon(\"%s\") failed: %m", arg_process_label); #endif if (arg_boot) { char **a; |