54 lines
1.8 KiB
Diff
54 lines
1.8 KiB
Diff
From 1f408c8d9739b1038012eeec7bf0f918c8095bc4 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
|
Date: Fri, 23 Sep 2022 19:00:22 +0200
|
|
Subject: [PATCH] core: respect SELinuxContext= for socket creation
|
|
|
|
On socket creation respect the SELinuxContext= setting of the associated
|
|
service, such that the initial created socket has the same label as the
|
|
future process accepting the connection (since w.r.t SELinux sockets
|
|
normally have the same label as the owning process).
|
|
|
|
Triggered by #24702
|
|
|
|
(cherry picked from commit 599b384924bbef9f8f7fa5700c6fa35a404d9a98)
|
|
|
|
Related: #2136738
|
|
---
|
|
src/core/socket.c | 15 ++++++++++++++-
|
|
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/core/socket.c b/src/core/socket.c
|
|
index 9d47ca2616..d1ca0a07c5 100644
|
|
--- a/src/core/socket.c
|
|
+++ b/src/core/socket.c
|
|
@@ -1427,6 +1427,7 @@ fail:
|
|
static int socket_determine_selinux_label(Socket *s, char **ret) {
|
|
Service *service;
|
|
ExecCommand *c;
|
|
+ const char *exec_context;
|
|
_cleanup_free_ char *path = NULL;
|
|
int r;
|
|
|
|
@@ -1448,8 +1449,20 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
|
|
|
|
if (!UNIT_ISSET(s->service))
|
|
goto no_label;
|
|
-
|
|
service = SERVICE(UNIT_DEREF(s->service));
|
|
+
|
|
+ exec_context = service->exec_context.selinux_context;
|
|
+ if (exec_context) {
|
|
+ char *con;
|
|
+
|
|
+ con = strdup(exec_context);
|
|
+ if (!con)
|
|
+ return -ENOMEM;
|
|
+
|
|
+ *ret = TAKE_PTR(con);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
c = service->exec_command[SERVICE_EXEC_START];
|
|
if (!c)
|
|
goto no_label;
|