From 7fc04b12e0129cfedca05b13068e9c3aa7c3c196 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 11 Nov 2015 12:55:32 +0100
Subject: sd-bus: don't try to acquire connection selinux label unless selinux
 is actually enabled

Otherwise we might end up mistaking a SMACK label for an selinux label.

Also, fixes unexpect debug messages:

http://lists.freedesktop.org/archives/systemd-devel/2015-November/034913.html
---
 src/libsystemd/sd-bus/bus-control.c | 6 +++++-
 src/libsystemd/sd-bus/bus-socket.c  | 9 ++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

(limited to 'src/libsystemd')

diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c
index d5bc32e757..ddd3a55b6c 100644
--- a/src/libsystemd/sd-bus/bus-control.c
+++ b/src/libsystemd/sd-bus/bus-control.c
@@ -981,8 +981,12 @@ static int bus_get_owner_creds_kdbus(sd_bus *bus, uint64_t mask, sd_bus_creds **
 static int bus_get_owner_creds_dbus1(sd_bus *bus, uint64_t mask, sd_bus_creds **ret) {
         _cleanup_bus_creds_unref_ sd_bus_creds *c = NULL;
         pid_t pid = 0;
+        bool do_label;
         int r;
-        bool do_label = bus->label && (mask & SD_BUS_CREDS_SELINUX_CONTEXT);
+
+        assert(bus);
+
+        do_label = bus->label && (mask & SD_BUS_CREDS_SELINUX_CONTEXT);
 
         /* Avoid allocating anything if we have no chance of returning useful data */
         if (!bus->ucred_valid && !do_label)
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index a5cb667630..25873dea1e 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -36,6 +36,7 @@
 #include "hexdecoct.h"
 #include "macro.h"
 #include "missing.h"
+#include "selinux-util.h"
 #include "signal-util.h"
 #include "stdio-util.h"
 #include "string-util.h"
@@ -608,9 +609,11 @@ static void bus_get_peercred(sd_bus *b) {
         b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
 
         /* Get the SELinux context of the peer */
-        r = getpeersec(b->input_fd, &b->label);
-        if (r < 0 && r != -EOPNOTSUPP)
-                log_debug_errno(r, "Failed to determine peer security context: %m");
+        if (mac_selinux_use()) {
+                r = getpeersec(b->input_fd, &b->label);
+                if (r < 0 && r != -EOPNOTSUPP)
+                        log_debug_errno(r, "Failed to determine peer security context: %m");
+        }
 }
 
 static int bus_socket_start_auth_client(sd_bus *b) {
-- 
cgit v1.2.3-54-g00ecf