picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

core: make SELinux enable/disable check symmetric

Browse source 
We'd use the generic check for disable, and a unit-file-specific one for enable.
Use the more specific one both ways.

systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:system_r:init_t:s0 tclass=system perm=disable path=(null) cmdline=/usr/lib/systemd/systemd-timedated: -13
systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:object_r:systemd_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline=/usr/lib/systemd/systemd-timedated: -13

https://bugzilla.redhat.com/show_bug.cgi?id=1014315
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2015-03-21 18:50:10 -04:00
parent 192b98b8fe
commit df823e23f0
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/core/dbus-manager.c
View file

@ -1799,10 +1799,6 @@ static int method_disable_unit_files_generic(
assert(message);
assert(m);
r = mac_selinux_access_check(message, verb, error);
if (r < 0)
return r;
r = sd_bus_message_read_strv(message, &l);
if (r < 0)
return r;
@ -1811,6 +1807,10 @@ static int method_disable_unit_files_generic(
if (r < 0)
return r;
r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
if (r < 0)
return r;
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
r = bus_verify_manage_unit_files_async(m, message, error);