From 6355e75610a8d47fc3ba5ab8bd442172a2cfe574 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 27 Nov 2015 20:22:56 +0100
Subject: selinux: split up mac_selinux_have() from mac_selinux_use()

Let's distuingish the cases where our code takes an active role in
selinux management, or just passively reports whatever selinux
properties are set.

mac_selinux_have() now checks whether selinux is around for the passive
stuff, and mac_selinux_use() for the active stuff. The latter checks the
former, plus also checks UID == 0, under the assumption that only when
we run priviliged selinux management really makes sense.

Fixes: #1941
---
 src/shared/condition.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'src/shared')

diff --git a/src/shared/condition.c b/src/shared/condition.c
index a69719116c..14d18429b6 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -231,7 +231,7 @@ static int condition_test_security(Condition *c) {
         assert(c->type == CONDITION_SECURITY);
 
         if (streq(c->parameter, "selinux"))
-                return mac_selinux_use();
+                return mac_selinux_have();
         if (streq(c->parameter, "smack"))
                 return mac_smack_use();
         if (streq(c->parameter, "apparmor"))
-- 
cgit v1.2.3-54-g00ecf