core: make SELinux enable/disable check symmetric
We'd use the generic check for disable, and a unit-file-specific one for enable. Use the more specific one both ways. systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:system_r:init_t:s0 tclass=system perm=disable path=(null) cmdline=/usr/lib/systemd/systemd-timedated: -13 systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:object_r:systemd_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline=/usr/lib/systemd/systemd-timedated: -13 https://bugzilla.redhat.com/show_bug.cgi?id=1014315
This commit is contained in:
parent
192b98b8fe
commit
df823e23f0
|
@ -1799,10 +1799,6 @@ static int method_disable_unit_files_generic(
|
|||
assert(message);
|
||||
assert(m);
|
||||
|
||||
r = mac_selinux_access_check(message, verb, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = sd_bus_message_read_strv(message, &l);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
@ -1811,6 +1807,10 @@ static int method_disable_unit_files_generic(
|
|||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
|
||||
|
||||
r = bus_verify_manage_unit_files_async(m, message, error);
|
||||
|
|
Loading…
Reference in a new issue