exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since setexeccon will fail anyway.
This commit is contained in:
Michael Scherer
Lennart Poettering
parent
5c56a259e0
commit
0d3f7bb3a5
|
|
@ -956,7 +956,9 @@
|
|||
<listitem><para>Set the SELinux context of the
|
||||
executed process. If set, this will override the
|
||||
automated domain transition. However, the policy
|
||||
still need to autorize the transition. See
|
||||
still need to autorize the transition. This directive
|
||||
is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
|
||||
all errors will be ignored. See
|
||||
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
for details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
|
|
|||
|
|
@ -72,6 +72,7 @@
|
|||
#include "fileio.h"
|
||||
#include "unit.h"
|
||||
#include "async.h"
|
||||
#include "selinux-util.h"
|
||||
|
||||
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
|
||||
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
|
||||
|
|
@ -1570,13 +1571,18 @@ int exec_spawn(ExecCommand *command,
|
|||
}
|
||||
#ifdef HAVE_SELINUX
|
||||
if (context->selinux_context && use_selinux()) {
|
||||
err = security_check_context(context->selinux_context);
|
||||
if (err < 0) {
|
||||
r = EXIT_SELINUX_CONTEXT;
|
||||
goto fail_child;
|
||||
}
|
||||
err = setexeccon(context->selinux_context);
|
||||
if (err < 0) {
|
||||
bool ignore;
|
||||
char* c;
|
||||
|
||||
c = context->selinux_context;
|
||||
if (c[0] == '-') {
|
||||
c++;
|
||||
ignore = true;
|
||||
} else
|
||||
ignore = false;
|
||||
|
||||
err = setexeccon(c);
|
||||
if (err < 0 && !ignore) {
|
||||
r = EXIT_SELINUX_CONTEXT;
|
||||
goto fail_child;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue