From a2e46b539b55e3115af65ae7a4c36e80a2ae6abc Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Wed, 12 Nov 2014 13:53:27 +0100 Subject: selinux: figure out selinux context applied on exec() before closing all fds We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument. Signed-off-by: Anthony G. Basile --- src/shared/selinux-util.c | 8 ++------ src/shared/selinux-util.h | 2 +- 2 files changed, 3 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c index a374c277a8..7f8cc0eb76 100644 --- a/src/shared/selinux-util.c +++ b/src/shared/selinux-util.c @@ -231,7 +231,7 @@ int mac_selinux_get_our_label(char **label) { return r; } -int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label) { +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label) { int r = -EOPNOTSUPP; #ifdef HAVE_SELINUX @@ -255,11 +255,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, char **label if (r < 0) return -errno; - r = getexeccon(&fcon); - if (r < 0) - return -errno; - - if (!fcon) { + if (!exec_label) { /* If there is no context set for next exec let's use context of target executable */ r = getfilecon(exe, &fcon); diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h index dffd144513..744b1bcf45 100644 --- a/src/shared/selinux-util.h +++ b/src/shared/selinux-util.h @@ -35,7 +35,7 @@ int mac_selinux_apply(const char *path, const char *label); int mac_selinux_get_create_label_from_exe(const char *exe, char **label); int mac_selinux_get_our_label(char **label); -int mac_selinux_get_child_mls_label(int socket_fd, const char *exec, char **label); +int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *exec_label, char **label); void mac_selinux_free(char *label); int mac_selinux_create_file_prepare(const char *path, mode_t mode); -- cgit v1.2.3-54-g00ecf