1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00

exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like for others settings.

Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
This commit is contained in:
Michael Scherer 2014-02-06 10:05:18 +01:00 committed by Lennart Poettering
parent 5c56a259e0
commit 0d3f7bb3a5
2 changed files with 16 additions and 8 deletions

View File

@ -956,7 +956,9 @@
<listitem><para>Set the SELinux context of the
executed process. If set, this will override the
automated domain transition. However, the policy
still need to autorize the transition. See
still need to autorize the transition. This directive
is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
all errors will be ignored. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>

View File

@ -72,6 +72,7 @@
#include "fileio.h"
#include "unit.h"
#include "async.h"
#include "selinux-util.h"
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
@ -1570,13 +1571,18 @@ int exec_spawn(ExecCommand *command,
}
#ifdef HAVE_SELINUX
if (context->selinux_context && use_selinux()) {
err = security_check_context(context->selinux_context);
if (err < 0) {
r = EXIT_SELINUX_CONTEXT;
goto fail_child;
}
err = setexeccon(context->selinux_context);
if (err < 0) {
bool ignore;
char* c;
c = context->selinux_context;
if (c[0] == '-') {
c++;
ignore = true;
} else
ignore = false;
err = setexeccon(c);
if (err < 0 && !ignore) {
r = EXIT_SELINUX_CONTEXT;
goto fail_child;
}