dasharo/systemd
0
0
Fork 0
mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2053 from poettering/selinux-fix

Browse Source 
Two unrelated fixes
This commit is contained in:
David Herrmann
2015-11-30 19:30:03 +01:00
parent a00405285e 20ba6c2ebe
commit de418eb91c
10 changed files with 28 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/basic/selinux-util.c
View File

@@ -47,7 +47,7 @@ static struct selabel_handle *label_hnd = NULL;
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif
bool mac_selinux_use(void) {
bool mac_selinux_have(void) {
#ifdef HAVE_SELINUX
if (cached_use < 0)
cached_use = is_selinux_enabled() > 0;
@@ -58,6 +58,16 @@ bool mac_selinux_use(void) {
#endif
}
bool mac_selinux_use(void) {
if (!mac_selinux_have())
return false;
/* Never try to configure SELinux features if we aren't
* root */
return getuid() == 0;
}
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
@@ -197,7 +207,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
assert(exe);
assert(label);
if (!mac_selinux_use())
if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -223,7 +233,7 @@ int mac_selinux_get_our_label(char **label) {
assert(label);
#ifdef HAVE_SELINUX
if (!mac_selinux_use())
if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(label);
@@ -247,7 +257,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
assert(exe);
assert(label);
if (!mac_selinux_use())
if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -302,7 +312,7 @@ char* mac_selinux_free(char *label) {
if (!label)
return NULL;
if (!mac_selinux_use())
if (!mac_selinux_have())
return NULL;

1
src/basic/selinux-util.h
View File

@@ -27,6 +27,7 @@
#include "macro.h"
bool mac_selinux_use(void);
bool mac_selinux_have(void);
void mac_selinux_retest(void);
int mac_selinux_init(const char *prefix);

2
src/journal/journald-native.c
View File

@@ -480,7 +480,7 @@ int server_open_native_socket(Server*s) {
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
if (mac_selinux_use()) {
if (mac_selinux_have()) {
r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");

2
src/journal/journald-server.c
View File

@@ -668,7 +668,7 @@ static void dispatch_message_real(
}
#ifdef HAVE_SELINUX
if (mac_selinux_use()) {
if (mac_selinux_have()) {
if (label) {
x = alloca(strlen("_SELINUX_CONTEXT=") + label_len + 1);

2
src/journal/journald-stream.c
View File

@@ -493,7 +493,7 @@ static int stdout_stream_install(Server *s, int fd, StdoutStream **ret) {
if (r < 0)
return log_error_errno(r, "Failed to determine peer credentials: %m");
if (mac_selinux_use()) {
if (mac_selinux_have()) {
r = getpeersec(fd, &stream->label);
if (r < 0 && r != -EOPNOTSUPP)
(void) log_warning_errno(r, "Failed to determine peer security context: %m");

2
src/journal/journald-syslog.c
View File

@@ -415,7 +415,7 @@ int server_open_syslog_socket(Server *s) {
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
if (mac_selinux_use()) {
if (mac_selinux_have()) {
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");

2
src/libsystemd/sd-bus/bus-socket.c
View File

@@ -609,7 +609,7 @@ static void bus_get_peercred(sd_bus *b) {
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
if (mac_selinux_use()) {
if (mac_selinux_have()) {
r = getpeersec(b->input_fd, &b->label);
if (r < 0 && r != -EOPNOTSUPP)
log_debug_errno(r, "Failed to determine peer security context: %m");

2
src/shared/condition.c
View File

@@ -231,7 +231,7 @@ static int condition_test_security(Condition *c) {
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
return mac_selinux_use();
return mac_selinux_have();
if (streq(c->parameter, "smack"))
return mac_smack_use();
if (streq(c->parameter, "apparmor"))

10
src/systemd/_sd-common.h
View File

@@ -57,10 +57,10 @@
# ifdef __cplusplus
# define _SD_BEGIN_DECLARATIONS \
extern "C" { \
struct __useless_struct_to_allow_trailing_semicolon__
struct _sd_useless_struct_to_allow_trailing_semicolon_
# else
# define _SD_BEGIN_DECLARATIONS \
struct __useless_struct_to_allow_trailing_semicolon__
struct _sd_useless_struct_to_allow_trailing_semicolon_
# endif
#endif
@@ -68,10 +68,10 @@
# ifdef __cplusplus
# define _SD_END_DECLARATIONS \
} \
struct __useless_struct_to_allow_trailing_semicolon__
struct _sd_useless_cpp_struct_to_allow_trailing_semicolon_
# else
# define _SD_END_DECLARATIONS \
struct __useless_struct_to_allow_trailing_semicolon__
struct _sd_useless_struct_to_allow_trailing_semicolon_
# endif
#endif
@@ -80,6 +80,6 @@
if (*p) \
func(*p); \
} \
struct __useless_struct_to_allow_trailing_semicolon__
struct _sd_useless_struct_to_allow_trailing_semicolon_
#endif

2
src/test/test-condition.c
View File

@@ -203,7 +203,7 @@ static void test_condition_test_security(void) {
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
assert_se(condition_test(condition) != mac_selinux_use());
assert_se(condition_test(condition) != mac_selinux_have());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "ima", false, false);