From 61ea63f1ab7f47cc7490986748f3d240c06b54a5 Mon Sep 17 00:00:00 2001 From: Evgeny Vereshchagin Date: Sun, 31 Jan 2016 12:59:35 +0000 Subject: core: fix selinux check for reload Fixes: -bash-4.3# echo 1 >/sys/fs/selinux/enforce -bash-4.3# runcon -t systemd_test_start_t systemctl start hola -bash-4.3# sesearch --allow -s systemd_test_reload_t -c service Found 1 semantic av rules: allow systemd_test_reload_t systemd_unit_file_t : service reload ; -bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola Failed to reload hola.service: Access denied See system logs and 'systemctl status hola.service' for details. -bash-4.3# journalctl -b | grep -i user_avc | grep reload USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola" scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service See https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation --- src/core/dbus-unit.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'src/core/dbus-unit.c') diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c index 386ea96d1b..9862f6e6f6 100644 --- a/src/core/dbus-unit.c +++ b/src/core/dbus-unit.c @@ -458,7 +458,10 @@ int bus_unit_method_start_generic( assert(u); assert(job_type >= 0 && job_type < _JOB_TYPE_MAX); - r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error); + r = mac_selinux_unit_access_check( + u, message, + (job_type == JOB_START || job_type == JOB_RESTART || job_type == JOB_TRY_RESTART) ? "start" : + job_type == JOB_STOP ? "stop" : "reload", error); if (r < 0) return r; -- cgit v1.2.3-54-g00ecf