|
 |
84b277 |
From e7c4dc07d35a10dc90f013572da6d25d17311d0a Mon Sep 17 00:00:00 2001
|
|
|
84b277 |
From: Michal Sekletar <msekleta@redhat.com>
|
|
|
84b277 |
Date: Mon, 13 Oct 2014 16:12:30 +0200
|
|
|
84b277 |
Subject: [PATCH] selinux: set selinux context applied on exec() before closing
|
|
|
84b277 |
all fds
|
|
|
84b277 |
|
|
|
84b277 |
We need original socket_fd around otherwise label_get_child_mls_label fails with
|
|
|
84b277 |
-EINVAL return code.
|
|
|
84b277 |
|
|
|
84b277 |
Related: #1113790
|
|
|
84b277 |
---
|
|
|
84b277 |
src/core/execute.c | 56 +++++++++++++++++++++++++++++-------------------------
|
|
|
84b277 |
1 file changed, 30 insertions(+), 26 deletions(-)
|
|
|
84b277 |
|
|
|
84b277 |
diff --git a/src/core/execute.c b/src/core/execute.c
|
|
|
84b277 |
index be99149..06713cc 100644
|
|
|
84b277 |
--- a/src/core/execute.c
|
|
|
84b277 |
+++ b/src/core/execute.c
|
|
|
84b277 |
@@ -1401,6 +1401,36 @@ int exec_spawn(ExecCommand *command,
|
|
|
84b277 |
}
|
|
|
84b277 |
}
|
|
|
84b277 |
|
|
|
84b277 |
+#ifdef HAVE_SELINUX
|
|
|
84b277 |
+ if (apply_permissions) {
|
|
|
84b277 |
+ if (use_selinux()) {
|
|
|
84b277 |
+ if (context->selinux_context) {
|
|
|
84b277 |
+ err = setexeccon(context->selinux_context);
|
|
|
84b277 |
+ if (err < 0 && !context->selinux_context_ignore) {
|
|
|
84b277 |
+ r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
+ goto fail_child;
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+
|
|
|
84b277 |
+ if (selinux_context_net && socket_fd >= 0) {
|
|
|
84b277 |
+ _cleanup_free_ char *label = NULL;
|
|
|
84b277 |
+
|
|
|
84b277 |
+ err = label_get_child_mls_label(socket_fd, command->path, &label);
|
|
|
84b277 |
+ if (err < 0) {
|
|
|
84b277 |
+ r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
+ goto fail_child;
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+
|
|
|
84b277 |
+ err = setexeccon(label);
|
|
|
84b277 |
+ if (err < 0) {
|
|
|
84b277 |
+ r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
+ goto fail_child;
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+ }
|
|
|
84b277 |
+#endif
|
|
|
84b277 |
+
|
|
|
84b277 |
/* We repeat the fd closing here, to make sure that
|
|
|
84b277 |
* nothing is leaked from the PAM modules */
|
|
|
84b277 |
err = close_all_fds(fds, n_fds);
|
|
|
84b277 |
@@ -1474,33 +1504,7 @@ int exec_spawn(ExecCommand *command,
|
|
|
84b277 |
goto fail_child;
|
|
|
84b277 |
}
|
|
|
84b277 |
}
|
|
|
84b277 |
-#ifdef HAVE_SELINUX
|
|
|
84b277 |
- if (use_selinux()) {
|
|
|
84b277 |
- if (context->selinux_context) {
|
|
|
84b277 |
- err = setexeccon(context->selinux_context);
|
|
|
84b277 |
- if (err < 0 && !context->selinux_context_ignore) {
|
|
|
84b277 |
- r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
- goto fail_child;
|
|
|
84b277 |
- }
|
|
|
84b277 |
- }
|
|
|
84b277 |
-
|
|
|
84b277 |
- if (selinux_context_net && socket_fd >= 0) {
|
|
|
84b277 |
- _cleanup_free_ char *label = NULL;
|
|
|
84b277 |
|
|
|
84b277 |
- err = label_get_child_mls_label(socket_fd, command->path, &label);
|
|
|
84b277 |
- if (err < 0) {
|
|
|
84b277 |
- r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
- goto fail_child;
|
|
|
84b277 |
- }
|
|
|
84b277 |
-
|
|
|
84b277 |
- err = setexeccon(label);
|
|
|
84b277 |
- if (err < 0) {
|
|
|
84b277 |
- r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
- goto fail_child;
|
|
|
84b277 |
- }
|
|
|
84b277 |
- }
|
|
|
84b277 |
- }
|
|
|
84b277 |
-#endif
|
|
|
84b277 |
}
|
|
|
84b277 |
|
|
|
84b277 |
our_env = new0(char*, 7);
|