1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-09 01:18:19 +03:00

execute: always log a warning when setting SELinux context fails

Update also manual page to explain how the transition can still fail.
This commit is contained in:
Topi Miettinen 2021-11-12 00:33:01 +02:00 committed by Zbigniew Jędrzejewski-Szmek
parent b01ee585c9
commit 006d1864fb
2 changed files with 19 additions and 10 deletions

View File

@ -730,10 +730,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
<listitem><para>Set the SELinux security context of the executed process. If set, this will override the
automated domain transition. However, the policy still needs to authorize the transition. This directive is
ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors will be ignored. This does not
affect commands prefixed with <literal>+</literal>. See <citerefentry
project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
details.</para></listitem>
ignored if SELinux is disabled. If prefixed by <literal>-</literal>, failing to set the SELinux
security context will be ignored, but it's still possible that the subsequent
<function>execve()</function> may fail if the policy doesn't allow the transition for the
non-overridden context. This does not affect commands prefixed with <literal>+</literal>. See
<citerefentry
project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
<varlistentry>

View File

@ -4579,9 +4579,12 @@ static int exec_child(
if (fd >= 0) {
r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
if (r < 0 && !context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
if (r < 0) {
if (!context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
}
log_unit_debug_errno(unit, r, "Failed to determine SELinux context, ignoring: %m");
}
}
}
@ -4713,9 +4716,12 @@ static int exec_child(
if (exec_context) {
r = setexeccon(exec_context);
if (r < 0 && !context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
if (r < 0) {
if (!context->selinux_context_ignore) {
*exit_status = EXIT_SELINUX_CONTEXT;
return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
}
log_unit_debug_errno(unit, r, "Failed to change SELinux context to %s, ignoring: %m", exec_context);
}
}
}