selinux: create unit invocation links with default SELinux context

(cherry picked from commit a3f5fd964bc9fcac82315f8c82d4ca575afdd1b7)
2025-03-08 20:58:20 +03:00 · 2020-09-01 15:48:53 +02:00 · 2020-09-01 15:48:53 +02:00 · 58a33e50c0
commit 58a33e50c0
parent e39f0fa5c3
3 changed files with 25 additions and 2 deletions
--- a/src/basic/label.c
+++ b/src/basic/label.c
@ -5,6 +5,7 @@
 #include <unistd.h>

 #include "btrfs-util.h"
+#include "fs-util.h"
 #include "label.h"
 #include "macro.h"
 #include "selinux-util.h"
@ -45,6 +46,27 @@ int symlink_label(const char *old_path, const char *new_path) {
        return mac_smack_fix(new_path, 0);
 }

+int symlink_atomic_label(const char *from, const char *to) {
+        int r;
+
+        assert(from);
+        assert(to);
+
+        r = mac_selinux_create_file_prepare(to, S_IFLNK);
+        if (r < 0)
+                return r;
+
+        if (symlink_atomic(from, to) < 0)
+                r = -errno;
+
+        mac_selinux_create_file_clear();
+
+        if (r < 0)
+                return r;
+
+        return mac_smack_fix(to, 0);
+}
+
 int mknod_label(const char *pathname, mode_t mode, dev_t dev) {
        int r;

--- a/src/basic/label.h
+++ b/src/basic/label.h
@ -17,6 +17,7 @@ static inline int label_fix(const char *path, LabelFixFlags flags) {
 int mkdir_label(const char *path, mode_t mode);
 int mkdirat_label(int dirfd, const char *path, mode_t mode);
 int symlink_label(const char *old_path, const char *new_path);
+int symlink_atomic_label(const char *from, const char *to);
 int mknod_label(const char *pathname, mode_t mode, dev_t dev);

 int btrfs_subvol_make_label(const char *path);
--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -24,10 +24,10 @@
 #include "fileio-label.h"
 #include "fileio.h"
 #include "format-util.h"
-#include "fs-util.h"
 #include "id128-util.h"
 #include "io-util.h"
 #include "install.h"
+#include "label.h"
 #include "load-dropin.h"
 #include "load-fragment.h"
 #include "log.h"
@ -5670,7 +5670,7 @@ static int unit_export_invocation_id(Unit *u) {
        if (r < 0)
                return log_unit_debug_errno(u, r, "Failed to get invocation path: %m");

-        r = symlink_atomic(u->invocation_id_string, p);
+        r = symlink_atomic_label(u->invocation_id_string, p);
        if (r < 0)
                return log_unit_debug_errno(u, r, "Failed to create invocation ID symlink %s: %m", p);