From 7b52a628f8b43ba521c302a7f32bccf9d0dc8bfd Mon Sep 17 00:00:00 2001 From: Michael Scherer Date: Thu, 6 Feb 2014 10:05:16 +0100 Subject: exec: Add SELinuxContext configuration item MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service. --- src/core/execute.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'src/core/execute.c') diff --git a/src/core/execute.c b/src/core/execute.c index 91e4352f9a..c02c768c68 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -47,6 +47,10 @@ #include #endif +#ifdef HAVE_SELINUX +#include +#endif + #include "execute.h" #include "strv.h" #include "macro.h" @@ -1564,6 +1568,20 @@ int exec_spawn(ExecCommand *command, goto fail_child; } } +#ifdef HAVE_SELINUX + if (context->selinux_context) { + err = security_check_context(context->selinux_context); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + err = setexeccon(context->selinux_context); + if (err < 0) { + r = EXIT_SELINUX_CONTEXT; + goto fail_child; + } + } +#endif } err = build_environment(context, n_fds, watchdog_usec, home, username, shell, &our_env); @@ -1722,6 +1740,9 @@ void exec_context_done(ExecContext *c) { free(c->utmp_id); c->utmp_id = NULL; + free(c->selinux_context); + c->selinux_context = NULL; + free(c->syscall_filter); c->syscall_filter = NULL; } @@ -2091,6 +2112,12 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fprintf(f, "%sUtmpIdentifier: %s\n", prefix, c->utmp_id); + + if (c->selinux_context) + fprintf(f, + "%sSELinuxContext: %s\n", + prefix, c->selinux_context); + } void exec_status_start(ExecStatus *s, pid_t pid) { -- cgit v1.2.3-54-g00ecf