From 807fa5d9a01b2bd80ac821d3a165bfef0323c20c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 10 Feb 2017 11:54:18 +0100
Subject: dbus: check selinux privilege before returning process list

We protect less interetsing stuff with selinux "status", let's do that
here too.
---
 src/core/dbus-unit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 60e889e1ef..f1306a023f 100644
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -1006,6 +1006,10 @@ int bus_unit_method_get_processes(sd_bus_message *message, void *userdata, sd_bu
 
         assert(message);
 
+        r = mac_selinux_unit_access_check(u, message, "status", error);
+        if (r < 0)
+                return r;
+
         pids = set_new(NULL);
         if (!pids)
                 return -ENOMEM;
-- 
cgit v1.2.3-54-g00ecf