[systemd-commits] src/core
Zbigniew JÄdrzejewski-Szmek
zbyszek at kemper.freedesktop.org
Fri Dec 27 19:41:47 PST 2013
src/core/dbus-manager.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
New commits:
commit 4f7385fa496242f06aaf358b66b28d71348607b3
Author: Lubomir Rintel <lkundrak at v3.sk>
Date: Fri Dec 6 14:05:49 2013 +0100
selinux: Check access vector for enable/disable perm for each unit file
SELinux check will be done using the context of the unit file as as a
target instead of the default init_t context, allowing selinux control
on the level of individual units.
https://bugzilla.redhat.com/show_bug.cgi?id=1022762
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index b7978e6..38004a0 100644
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1405,6 +1405,7 @@ static int method_enable_unit_files_generic(
sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
+ char **i;
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
UnitFileScope scope;
@@ -1414,14 +1415,23 @@ static int method_enable_unit_files_generic(
assert(message);
assert(m);
- r = selinux_access_check(bus, message, verb, error);
- if (r < 0)
- return r;
-
r = sd_bus_message_read_strv(message, &l);
if (r < 0)
return r;
+#ifdef HAVE_SELINUX
+ STRV_FOREACH(i, l) {
+ Unit *u;
+
+ u = manager_get_unit(m, *i);
+ if (u) {
+ r = selinux_unit_access_check(u, bus, message, verb, error);
+ if (r < 0)
+ return r;
+ }
+ }
+#endif
+
r = sd_bus_message_read(message, "bb", &runtime, &force);
if (r < 0)
return r;
More information about the systemd-commits
mailing list