From 416be1a03baed3b6b1a1a481576cd77bc322ca2b Mon Sep 17 00:00:00 2001 From: Filipe Brandenburger Date: Fri, 9 Mar 2018 03:20:56 -0800 Subject: [PATCH] core/socket: support binary inside chroot when looking for SELinux label (#8405) Otherwise having a .socket unit start a .service running a binary under a chroot fails as the unit is unable to determine the SELinux label of the binary. --- src/core/socket.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/core/socket.c b/src/core/socket.c index 41988788b89..b3c09f67c02 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1439,7 +1439,9 @@ fail: } static int socket_determine_selinux_label(Socket *s, char **ret) { + Service *service; ExecCommand *c; + const char *path; int r; assert(s); @@ -1461,11 +1463,13 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { if (!UNIT_ISSET(s->service)) goto no_label; - c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START]; + service = SERVICE(UNIT_DEREF(s->service)); + c = service->exec_command[SERVICE_EXEC_START]; if (!c) goto no_label; - r = mac_selinux_get_create_label_from_exe(c->path, ret); + path = prefix_roota(service->exec_context.root_directory, c->path); + r = mac_selinux_get_create_label_from_exe(path, ret); if (IN_SET(r, -EPERM, -EOPNOTSUPP)) goto no_label; }