mirror of
https://github.com/systemd/systemd.git
synced 2025-01-13 17:18:18 +03:00
core/socket: support binary inside chroot when looking for SELinux label (#8405)
Otherwise having a .socket unit start a .service running a binary under a chroot fails as the unit is unable to determine the SELinux label of the binary.
This commit is contained in:
parent
906bdbf5e7
commit
416be1a03b
@ -1439,7 +1439,9 @@ fail:
|
||||
}
|
||||
|
||||
static int socket_determine_selinux_label(Socket *s, char **ret) {
|
||||
Service *service;
|
||||
ExecCommand *c;
|
||||
const char *path;
|
||||
int r;
|
||||
|
||||
assert(s);
|
||||
@ -1461,11 +1463,13 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
|
||||
if (!UNIT_ISSET(s->service))
|
||||
goto no_label;
|
||||
|
||||
c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
|
||||
service = SERVICE(UNIT_DEREF(s->service));
|
||||
c = service->exec_command[SERVICE_EXEC_START];
|
||||
if (!c)
|
||||
goto no_label;
|
||||
|
||||
r = mac_selinux_get_create_label_from_exe(c->path, ret);
|
||||
path = prefix_roota(service->exec_context.root_directory, c->path);
|
||||
r = mac_selinux_get_create_label_from_exe(path, ret);
|
||||
if (IN_SET(r, -EPERM, -EOPNOTSUPP))
|
||||
goto no_label;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user