[systemd-commits] 2 commits - src/core
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Oct 15 16:57:59 PDT 2012
src/core/selinux-access.c | 30 ++++++++++++++++++++++++------
src/core/service.c | 6 ------
2 files changed, 24 insertions(+), 12 deletions(-)
New commits:
commit a33c48d83c7b3760519081c6d65231743b3bc60e
Author: Daniel J Walsh <dwalsh at redhat.com>
Date: Thu Oct 11 17:06:46 2012 -0400
SELinux patch still broken, in that we are not checking the correct source context.
This patch does the dbus calls correctly.
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index d9c3f9b..852a328 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -59,6 +59,10 @@ static int bus_get_selinux_security_context(
DBusError *error) {
_cleanup_dbus_message_unref_ DBusMessage *m = NULL, *reply = NULL;
+ DBusMessageIter iter, sub;
+ const char *bytes;
+ char *b;
+ int nbytes;
m = dbus_message_new_method_call(
DBUS_SERVICE_DBUS,
@@ -85,12 +89,23 @@ static int bus_get_selinux_security_context(
if (dbus_set_error_from_message(error, reply))
return -EIO;
- if (!dbus_message_get_args(
- reply, error,
- DBUS_TYPE_STRING, scon,
- DBUS_TYPE_INVALID))
+ if (!dbus_message_iter_init(reply, &iter))
return -EIO;
+ if (dbus_message_iter_get_arg_type(&iter) != DBUS_TYPE_ARRAY)
+ return -EIO;
+
+ dbus_message_iter_recurse(&iter, &sub);
+ dbus_message_iter_get_fixed_array(&sub, &bytes, &nbytes);
+
+ b = strndup(bytes, nbytes);
+ if (!b)
+ return -ENOMEM;
+
+ *scon = b;
+
+ log_debug("GetConnectionSELinuxSecurityContext %s (pid %ld)", *scon, (long) bus_get_unix_process_id(connection, name, error));
+
return 0;
}
@@ -293,14 +308,17 @@ static int get_calling_context(
*/
sender = dbus_message_get_sender(message);
if (sender) {
+ log_error("SELinux Got Sender %s", sender);
+
r = bus_get_selinux_security_context(connection, sender, scon, error);
if (r >= 0)
return r;
- log_debug("bus_get_selinux_security_context failed %m");
- dbus_error_free(error);
+ log_error("bus_get_selinux_security_context failed %m");
+ return r;
}
+ log_debug("SELinux No Sender");
if (!dbus_connection_get_unix_fd(connection, &fd)) {
log_error("bus_connection_get_unix_fd failed %m");
return -EINVAL;
commit 2abba39d759bacebd7461f7370bb108f48dcce92
Author: Mantas MikulÄ—nas <grawity at gmail.com>
Date: Wed Oct 10 20:18:42 2012 +0300
core: allow Type=oneshot services to have ExecReload
Use cases:
* iptables.service – atomically reload rules without having to flush
them beforehand (which may leave the system insecure if reload fails)
* rpc-nfsd.service – reexport filesystems after /etc/exports update
without completely stopping and restarting nfsd
(In both cases, the actual service is provided by a kernel module and
does not have any associated user-space processes, thus Type=oneshot.)
diff --git a/src/core/service.c b/src/core/service.c
index 8d315c1..69c7150 100644
--- a/src/core/service.c
+++ b/src/core/service.c
@@ -1161,12 +1161,6 @@ static int service_verify(Service *s) {
return -EINVAL;
}
- if (s->type == SERVICE_ONESHOT &&
- s->exec_command[SERVICE_EXEC_RELOAD]) {
- log_error("%s has an ExecReload setting, which is not allowed for Type=oneshot services. Refusing.", UNIT(s)->id);
- return -EINVAL;
- }
-
if (s->type == SERVICE_DBUS && !s->bus_name) {
log_error("%s is of type D-Bus but no D-Bus service name has been specified. Refusing.", UNIT(s)->id);
return -EINVAL;
More information about the systemd-commits
mailing list