shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2025-02-15 05:57:26 +03:00
Code

Merge pull request #16223 from cgzones/user_selinux

Browse Source 
Initialize SELinux in user instances
This commit is contained in:
Lennart Poettering 2020-06-24 08:39:13 +02:00 committed by GitHub
commit bc8d57f290
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
15 changed files with 40 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/basic/selinux-util.c
View File

@ -122,7 +122,7 @@ int mac_selinux_init(void) {
label_hnd = selabel_open(SELABEL_CTX_FILE, NULL, 0);
if (!label_hnd)
return log_enforcing_errno(errno, "Failed to initialize SELinux context: %m");
return log_enforcing_errno(errno, "Failed to initialize SELinux labeling handle: %m");
after_timestamp = now(CLOCK_MONOTONIC);
after_mallinfo = mallinfo();

7
src/core/main.c
View File

@ -2559,7 +2559,7 @@ int main(int argc, char *argv[]) {
}
if (mac_selinux_init() < 0) {
error_message = "Failed to initialize SELinux policy";
error_message = "Failed to initialize SELinux support";
goto finish;
}
@ -2603,6 +2603,11 @@ int main(int argc, char *argv[]) {
/* clear the kernel timestamp,
* because we are not PID 1 */
kernel_timestamp = DUAL_TIMESTAMP_NULL;
if (mac_selinux_init() < 0) {
error_message = "Failed to initialize SELinux support";
goto finish;
}
}
if (arg_system) {

5
src/hostname/hostnamed.c
View File

@ -801,7 +801,10 @@ static int run(int argc, char *argv[]) {
return r;
umask(0022);
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);

4
src/hwdb/hwdb.c
View File

@ -125,7 +125,9 @@ static int run(int argc, char *argv[]) {
if (r <= 0)
return r;
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
return hwdb_main(argc, argv);
}

5
src/locale/localed.c
View File

@ -788,7 +788,10 @@ static int run(int argc, char *argv[]) {
return r;
umask(0022);
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, -1) >= 0);

2
src/login/logind.c
View File

@ -1173,7 +1173,7 @@ static int run(int argc, char *argv[]) {
r = mac_selinux_init();
if (r < 0)
return log_error_errno(r, "Could not initialize labelling: %m");
return r;
/* Always create the directories people can create inotify watches in. Note that some applications might check
* for the existence of /run/systemd/seats/ to determine whether logind is available, so please always make

6
src/login/user-runtime-dir.c
View File

@ -192,11 +192,11 @@ static int run(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"First argument must be either \"start\" or \"stop\".");
umask(0022);
r = mac_selinux_init();
if (r < 0)
return log_error_errno(r, "Could not initialize labelling: %m\n");
umask(0022);
return r;
if (streq(argv[1], "start"))
return do_mount(argv[2]);

2
src/resolve/resolved.c
View File

@ -40,7 +40,7 @@ static int run(int argc, char *argv[]) {
r = mac_selinux_init();
if (r < 0)
return log_error_errno(r, "SELinux setup failed: %m");
return r;
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
* privileges are already dropped and we can't create our directory. */

2
src/sysusers/sysusers.c
View File

@ -1898,7 +1898,7 @@ static int run(int argc, char *argv[]) {
r = mac_selinux_init();
if (r < 0)
return log_error_errno(r, "SELinux setup failed: %m");
return r;
/* If command line arguments are specified along with --replace, read all
* configuration files and insert the positional arguments at the specified

5
src/timedate/timedated.c
View File

@ -377,7 +377,10 @@ static int context_write_data_local_rtc(Context *c) {
}
}
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
return write_string_file_atomic_label("/etc/adjtime", w);
}

4
src/tmpfiles/tmpfiles.c
View File

@ -3262,7 +3262,9 @@ static int run(int argc, char *argv[]) {
umask(0022);
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
items = ordered_hashmap_new(&item_array_hash_ops);
globs = ordered_hashmap_new(&item_array_hash_ops);

5
src/udev/udevadm.c
View File

@ -124,7 +124,10 @@ static int run(int argc, char *argv[]) {
log_set_max_level_realm(LOG_REALM_SYSTEMD, log_get_max_level());
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
return udevadm_main(argc, argv);
}

2
src/udev/udevd.c
View File

@ -1863,7 +1863,7 @@ int run_udevd(int argc, char *argv[]) {
r = mac_selinux_init();
if (r < 0)
return log_error_errno(r, "Could not initialize labelling: %m");
return r;
r = mkdir_errno_wrapper("/run/udev", 0755);
if (r < 0 && r != -EEXIST)

4
src/update-done/update-done.c
View File

@ -49,10 +49,8 @@ int main(int argc, char *argv[]) {
}
r = mac_selinux_init();
if (r < 0) {
log_error_errno(r, "SELinux setup failed: %m");
if (r < 0)
return EXIT_FAILURE;
}
r = apply_timestamp("/etc/.updated", &st.st_mtim);
q = apply_timestamp("/var/.updated", &st.st_mtim);

4
src/user-sessions/user-sessions.c
View File

@ -25,7 +25,9 @@ static int run(int argc, char *argv[]) {
umask(0022);
mac_selinux_init();
r = mac_selinux_init();
if (r < 0)
return r;
if (streq(argv[1], "start")) {
r = unlink_or_warn("/run/nologin");