condition: add ConditionSecurity

Using ConditionSecurity a unit can depend on a security module being enabled/disabled. For now the only recognized security module is SELinux. I'd like to use this feature for a unit that creates /.autorelabel if SELinux is disabled, to ensure a relabel is done automatically when the system is later rebooted with SELinux enabled.
2011-04-03 18:16:59 +02:00 · 2011-04-03 18:16:59 +02:00 · 07e833bc1d
parent 41584525cf
commit 07e833bc1d
3 changed files with 18 additions and 0 deletions
--- a/src/condition.c
+++ b/src/condition.c
@ -24,6 +24,10 @@
 #include <string.h>
 #include <unistd.h>

+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "util.h"
 #include "condition.h"

@ -128,6 +132,14 @@ static bool test_virtualization(const char *parameter) {
        return streq(parameter, id);
 }

+static bool test_security(const char *parameter) {
+#ifdef HAVE_SELINUX
+        if (!strcasecmp(parameter, "SELinux"))
+                return is_selinux_enabled() > 0;
+#endif
+        return false;
+}
+
 bool condition_test(Condition *c) {
        assert(c);

@ -157,6 +169,9 @@ bool condition_test(Condition *c) {
        case CONDITION_VIRTUALIZATION:
                return test_virtualization(c->parameter) == !c->negate;

+        case CONDITION_SECURITY:
+                return test_security(c->parameter) == !c->negate;
+
        case CONDITION_NULL:
                return !c->negate;

@ -220,6 +235,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
        [CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
        [CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
        [CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
+        [CONDITION_SECURITY] = "ConditionSecurity",
        [CONDITION_NULL] = "ConditionNull"
 };

--- a/src/condition.h
+++ b/src/condition.h
@ -32,6 +32,7 @@ typedef enum ConditionType {
        CONDITION_DIRECTORY_NOT_EMPTY,
        CONDITION_KERNEL_COMMAND_LINE,
        CONDITION_VIRTUALIZATION,
+        CONDITION_SECURITY,
        CONDITION_NULL,
        _CONDITION_TYPE_MAX,
        _CONDITION_TYPE_INVALID = -1
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@ -1853,6 +1853,7 @@ static int load_from_path(Unit *u, const char *path) {
                { "ConditionDirectoryNotEmpty", config_parse_condition_path, CONDITION_DIRECTORY_NOT_EMPTY, u,                "Unit"    },
                { "ConditionKernelCommandLine", config_parse_condition_string, CONDITION_KERNEL_COMMAND_LINE, u,              "Unit"    },
                { "ConditionVirtualization",    config_parse_condition_string, CONDITION_VIRTUALIZATION, u,                   "Unit"    },
+                { "ConditionSecurity",          config_parse_condition_string, CONDITION_SECURITY, u,                         "Unit"    },
                { "ConditionNull",          config_parse_condition_null,  0, u,                                               "Unit"    },

                { "PIDFile",                config_parse_path,            0, &u->service.pid_file,                            "Service" },