[systemd-commits] src/core

[Zbigniew Jędrzejewski-Szmek]

 src/core/dbus-manager.c |   18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

New commits:
commit 4f7385fa496242f06aaf358b66b28d71348607b3
Author: Lubomir Rintel <lkundrak at v3.sk>
Date:   Fri Dec 6 14:05:49 2013 +0100

    selinux: Check access vector for enable/disable perm for each unit file
    
    SELinux check will be done using the context of the unit file as as a
    target instead of the default init_t context, allowing selinux control
    on the level of individual units.
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1022762

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b7978e6..38004a0 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
                 sd_bus_error *error) {
 
         _cleanup_strv_free_ char **l = NULL;
+        char **i;
         UnitFileChange *changes = NULL;
         unsigned n_changes = 0;
         UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
         assert(message);
         assert(m);
 
-        r = selinux_access_check(bus, message, verb, error);
-        if (r < 0)
-                return r;
-
         r = sd_bus_message_read_strv(message, &l);
         if (r < 0)
                 return r;
 
+#ifdef HAVE_SELINUX
+        STRV_FOREACH(i, l) {
+                Unit *u;
+
+                u = manager_get_unit(m, *i);
+                if (u) {
+                        r = selinux_unit_access_check(u, bus, message, verb, error);
+                        if (r < 0)
+                                return r;
+                }
+        }
+#endif
+
         r = sd_bus_message_read(message, "bb", &runtime, &force);
         if (r < 0)
                 return r;