[systemd-devel] [PATCH] selinux: fix missing SELinux unit access check
HATAYAMA Daisuke
d.hatayama at jp.fujitsu.com
Mon Jun 8 03:00:12 PDT 2015
Currently, SELinux unit access check is not performed if a given unit
file has not been registered in a hash table. This is because function
manager_get_unit() only tries to pick up a Unit object from a Unit
hash table. Instead, we use function manager_load_unit() searching
Unit file pathes for the given Unit file.
Signed-off-by: HATAYAMA Daisuke <d.hatayama at jp.fujitsu.com>
---
src/core/selinux-access.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index decd42f..36bdbcc 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units,
int r;
STRV_FOREACH(i, units) {
- u = manager_get_unit(m, *i);
+ r = manager_load_unit(m, *i, NULL, error, &u);
+ if (r < 0)
+ return r;
if (u) {
+ if (u->load_state == UNIT_NOT_FOUND)
+ return -ENOENT;
r = mac_selinux_unit_access_check(u, message, permission, error);
if (r < 0)
return r;
--
2.1.0
More information about the systemd-devel
mailing list