condition: add ConditionSecurity
Using ConditionSecurity a unit can depend on a security module being enabled/disabled. For now the only recognized security module is SELinux. I'd like to use this feature for a unit that creates /.autorelabel if SELinux is disabled, to ensure a relabel is done automatically when the system is later rebooted with SELinux enabled.
This commit is contained in:
parent
41584525cf
commit
07e833bc1d
|
@ -24,6 +24,10 @@
|
|||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#endif
|
||||
|
||||
#include "util.h"
|
||||
#include "condition.h"
|
||||
|
||||
|
@ -128,6 +132,14 @@ static bool test_virtualization(const char *parameter) {
|
|||
return streq(parameter, id);
|
||||
}
|
||||
|
||||
static bool test_security(const char *parameter) {
|
||||
#ifdef HAVE_SELINUX
|
||||
if (!strcasecmp(parameter, "SELinux"))
|
||||
return is_selinux_enabled() > 0;
|
||||
#endif
|
||||
return false;
|
||||
}
|
||||
|
||||
bool condition_test(Condition *c) {
|
||||
assert(c);
|
||||
|
||||
|
@ -157,6 +169,9 @@ bool condition_test(Condition *c) {
|
|||
case CONDITION_VIRTUALIZATION:
|
||||
return test_virtualization(c->parameter) == !c->negate;
|
||||
|
||||
case CONDITION_SECURITY:
|
||||
return test_security(c->parameter) == !c->negate;
|
||||
|
||||
case CONDITION_NULL:
|
||||
return !c->negate;
|
||||
|
||||
|
@ -220,6 +235,7 @@ static const char* const condition_type_table[_CONDITION_TYPE_MAX] = {
|
|||
[CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
|
||||
[CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
|
||||
[CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
|
||||
[CONDITION_SECURITY] = "ConditionSecurity",
|
||||
[CONDITION_NULL] = "ConditionNull"
|
||||
};
|
||||
|
||||
|
|
|
@ -32,6 +32,7 @@ typedef enum ConditionType {
|
|||
CONDITION_DIRECTORY_NOT_EMPTY,
|
||||
CONDITION_KERNEL_COMMAND_LINE,
|
||||
CONDITION_VIRTUALIZATION,
|
||||
CONDITION_SECURITY,
|
||||
CONDITION_NULL,
|
||||
_CONDITION_TYPE_MAX,
|
||||
_CONDITION_TYPE_INVALID = -1
|
||||
|
|
|
@ -1853,6 +1853,7 @@ static int load_from_path(Unit *u, const char *path) {
|
|||
{ "ConditionDirectoryNotEmpty", config_parse_condition_path, CONDITION_DIRECTORY_NOT_EMPTY, u, "Unit" },
|
||||
{ "ConditionKernelCommandLine", config_parse_condition_string, CONDITION_KERNEL_COMMAND_LINE, u, "Unit" },
|
||||
{ "ConditionVirtualization", config_parse_condition_string, CONDITION_VIRTUALIZATION, u, "Unit" },
|
||||
{ "ConditionSecurity", config_parse_condition_string, CONDITION_SECURITY, u, "Unit" },
|
||||
{ "ConditionNull", config_parse_condition_null, 0, u, "Unit" },
|
||||
|
||||
{ "PIDFile", config_parse_path, 0, &u->service.pid_file, "Service" },
|
||||
|
|
Loading…
Reference in a new issue