[systemd-devel] [PATCH v3 1/2] selinux: fix missing SELinux unit access check

[HATAYAMA Daisuke]

Currently, SELinux unit access check is not performed if a given unit
file has not been registered in a hash table. This is because function
manager_get_unit() only tries to pick up a Unit object from a Unit
hash table. Instead, we use function manager_load_unit() searching
Unit file pathes for the given Unit file.
---
 src/core/selinux-access.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index decd42f..f52bc6d 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -292,7 +292,9 @@ int mac_selinux_unit_access_check_strv(char **units,
         int r;
 
         STRV_FOREACH(i, units) {
-                u = manager_get_unit(m, *i);
+                r = manager_load_unit(m, *i, NULL, error, &u);
+                if (r < 0)
+                        return r;
                 if (u) {
                         r = mac_selinux_unit_access_check(u, message, permission, error);
                         if (r < 0)