[systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
Lennart Poettering
lennart at poettering.net
Wed Jun 17 09:25:32 PDT 2015
On Wed, 10.06.15 14:40, HATAYAMA Daisuke (d.hatayama at jp.fujitsu.com) wrote:
> From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001
> From: HATAYAMA Daisuke <d.hatayama at jp.fujitsu.com>
> Date: Wed, 10 Jun 2015 14:10:31 +0900
> Subject: [PATCH] selinux: fix missing SELinux unit access check
>
> Currently, SELinux unit access check is not performed if a given unit
> file has not been registered in a hash table. This is because function
> manager_get_unit() only tries to pick up a Unit object from a Unit
> hash table. Instead, we use function manager_load_unit() searching
> Unit file pathes for the given Unit file.
> ---
> src/core/selinux-access.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> v2:
> - checking an error status by u->load_error to cover UNIT_ERROR case.
>
> diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
> index decd42f..ac52906 100644
> --- a/src/core/selinux-access.c
> +++ b/src/core/selinux-access.c
> @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units,
> int r;
>
> STRV_FOREACH(i, units) {
> - u = manager_get_unit(m, *i);
> + r = manager_load_unit(m, *i, NULL, error, &u);
> + if (r < 0)
> + return r;
> if (u) {
> + if (u->load_error != 0)
> + return u->load_error;
> r = mac_selinux_unit_access_check(u, message, permission, error);
> if (r < 0)
> return r;
I commented on the issue now in github, could you please follow up
there?
https://github.com/systemd/systemd/pull/145
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list