diff options
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 23 |
1 files changed, 21 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index d8452a666c..129791294e 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -83,6 +83,7 @@ #include "af-list.h" #include "mkdir.h" #include "apparmor-util.h" +#include "label.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -1729,6 +1730,22 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } + + if (context->selinux_label_via_net && use_selinux()) { + _cleanup_free_ char *label = NULL; + + err = label_get_child_label(socket_fd, command->path, &label); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + + err = setexeccon(label); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + } #endif #ifdef HAVE_APPARMOR @@ -2112,7 +2129,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateDevices: %s\n" "%sProtectHome: %s\n" "%sProtectSystem: %s\n" - "%sIgnoreSIGPIPE: %s\n", + "%sIgnoreSIGPIPE: %s\n" + "%sSELinuxLabelViaNet: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", prefix, c->root_directory ? c->root_directory : "/", @@ -2122,7 +2140,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_devices), prefix, protect_home_to_string(c->protect_home), prefix, protect_system_to_string(c->protect_system), - prefix, yes_no(c->ignore_sigpipe)); + prefix, yes_no(c->ignore_sigpipe), + prefix, yes_no(c->selinux_label_via_net)); STRV_FOREACH(e, c->environment) fprintf(f, "%sEnvironment: %s\n", prefix, *e); |