[systemd-devel] [PATCH] selinux: fix missing SELinux unit access check
Lennart Poettering
lennart at poettering.net
Mon Jun 8 03:37:14 PDT 2015
On Mon, 08.06.15 19:00, HATAYAMA Daisuke (d.hatayama at jp.fujitsu.com) wrote:
> Currently, SELinux unit access check is not performed if a given unit
> file has not been registered in a hash table. This is because function
> manager_get_unit() only tries to pick up a Unit object from a Unit
> hash table. Instead, we use function manager_load_unit() searching
> Unit file pathes for the given Unit file.
Were precisely is this relevant? I mean, we generally invoke
operations on units that are already loaded?
> Signed-off-by: HATAYAMA Daisuke <d.hatayama at jp.fujitsu.com>
We don't use S-o-b in systemd.
> ---
> src/core/selinux-access.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
> index decd42f..36bdbcc 100644
> --- a/src/core/selinux-access.c
> +++ b/src/core/selinux-access.c
> @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units,
> int r;
>
> STRV_FOREACH(i, units) {
> - u = manager_get_unit(m, *i);
> + r = manager_load_unit(m, *i, NULL, error, &u);
> + if (r < 0)
> + return r;
> if (u) {
> + if (u->load_state == UNIT_NOT_FOUND)
> + return -ENOENT;
> r = mac_selinux_unit_access_check(u, message, permission, error);
> if (r < 0)
> return r;
> --
> 2.1.0
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list