mirror of
https://github.com/systemd/systemd.git
synced 2025-01-09 01:18:19 +03:00
execute: always log a warning when setting SELinux context fails
Update also manual page to explain how the transition can still fail.
This commit is contained in:
parent
b01ee585c9
commit
006d1864fb
@ -730,10 +730,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
||||
|
||||
<listitem><para>Set the SELinux security context of the executed process. If set, this will override the
|
||||
automated domain transition. However, the policy still needs to authorize the transition. This directive is
|
||||
ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors will be ignored. This does not
|
||||
affect commands prefixed with <literal>+</literal>. See <citerefentry
|
||||
project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
|
||||
details.</para></listitem>
|
||||
ignored if SELinux is disabled. If prefixed by <literal>-</literal>, failing to set the SELinux
|
||||
security context will be ignored, but it's still possible that the subsequent
|
||||
<function>execve()</function> may fail if the policy doesn't allow the transition for the
|
||||
non-overridden context. This does not affect commands prefixed with <literal>+</literal>. See
|
||||
<citerefentry
|
||||
project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
for details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
@ -4579,9 +4579,12 @@ static int exec_child(
|
||||
|
||||
if (fd >= 0) {
|
||||
r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
|
||||
if (r < 0 && !context->selinux_context_ignore) {
|
||||
*exit_status = EXIT_SELINUX_CONTEXT;
|
||||
return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
|
||||
if (r < 0) {
|
||||
if (!context->selinux_context_ignore) {
|
||||
*exit_status = EXIT_SELINUX_CONTEXT;
|
||||
return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
|
||||
}
|
||||
log_unit_debug_errno(unit, r, "Failed to determine SELinux context, ignoring: %m");
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -4713,9 +4716,12 @@ static int exec_child(
|
||||
|
||||
if (exec_context) {
|
||||
r = setexeccon(exec_context);
|
||||
if (r < 0 && !context->selinux_context_ignore) {
|
||||
*exit_status = EXIT_SELINUX_CONTEXT;
|
||||
return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
|
||||
if (r < 0) {
|
||||
if (!context->selinux_context_ignore) {
|
||||
*exit_status = EXIT_SELINUX_CONTEXT;
|
||||
return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
|
||||
}
|
||||
log_unit_debug_errno(unit, r, "Failed to change SELinux context to %s, ignoring: %m", exec_context);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user