|
 |
84b277 |
From 5c2592bf519dc7b2b28cde77f5f35422ec7a9320 Mon Sep 17 00:00:00 2001
|
|
|
84b277 |
From: Michael Scherer <misc@zarb.org>
|
|
|
84b277 |
Date: Thu, 6 Feb 2014 10:05:18 +0100
|
|
|
84b277 |
Subject: [PATCH] exec: Add support for ignoring errors on SELinuxContext by
|
|
|
84b277 |
prefixing it with -, like for others settings.
|
|
|
84b277 |
|
|
|
84b277 |
Also remove call to security_check_context, as this doesn't serve anything, since
|
|
|
84b277 |
setexeccon will fail anyway.
|
|
|
84b277 |
|
|
|
84b277 |
(cherry picked from commit 0d3f7bb3a5bc6d5c0712f88a080fed388981bca3)
|
|
|
84b277 |
|
|
|
84b277 |
Related: #1113790
|
|
|
84b277 |
---
|
|
|
84b277 |
man/systemd.exec.xml | 4 +++-
|
|
|
84b277 |
src/core/execute.c | 20 +++++++++++++-------
|
|
|
84b277 |
2 files changed, 16 insertions(+), 8 deletions(-)
|
|
|
84b277 |
|
|
|
84b277 |
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
|
|
|
84b277 |
index a68cfa7..7608489 100644
|
|
|
84b277 |
--- a/man/systemd.exec.xml
|
|
|
84b277 |
+++ b/man/systemd.exec.xml
|
|
|
84b277 |
@@ -924,7 +924,9 @@
|
|
|
84b277 |
<listitem><para>Set the SELinux context of the
|
|
|
84b277 |
executed process. If set, this will override the
|
|
|
84b277 |
automated domain transition. However, the policy
|
|
|
84b277 |
- still need to autorize the transition. See
|
|
|
84b277 |
+ still need to autorize the transition. This directive
|
|
|
84b277 |
+ is ignored if SELinux is disabled. If prefixed by <literal>-</literal>,
|
|
|
84b277 |
+ all errors will be ignored. See
|
|
|
84b277 |
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
|
|
84b277 |
for details.</para></listitem>
|
|
|
84b277 |
</varlistentry>
|
|
|
84b277 |
diff --git a/src/core/execute.c b/src/core/execute.c
|
|
|
84b277 |
index cb6f146..9fc5090 100644
|
|
|
84b277 |
--- a/src/core/execute.c
|
|
|
84b277 |
+++ b/src/core/execute.c
|
|
|
84b277 |
@@ -72,6 +72,7 @@
|
|
|
84b277 |
#include "fileio.h"
|
|
|
84b277 |
#include "unit.h"
|
|
|
84b277 |
#include "async.h"
|
|
|
84b277 |
+#include "selinux-util.h"
|
|
|
84b277 |
|
|
|
84b277 |
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
|
|
|
84b277 |
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
|
|
|
84b277 |
@@ -1473,13 +1474,18 @@ int exec_spawn(ExecCommand *command,
|
|
|
84b277 |
}
|
|
|
84b277 |
#ifdef HAVE_SELINUX
|
|
|
84b277 |
if (context->selinux_context && use_selinux()) {
|
|
|
84b277 |
- err = security_check_context(context->selinux_context);
|
|
|
84b277 |
- if (err < 0) {
|
|
|
84b277 |
- r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
- goto fail_child;
|
|
|
84b277 |
- }
|
|
|
84b277 |
- err = setexeccon(context->selinux_context);
|
|
|
84b277 |
- if (err < 0) {
|
|
|
84b277 |
+ bool ignore;
|
|
|
84b277 |
+ char* c;
|
|
|
84b277 |
+
|
|
|
84b277 |
+ c = context->selinux_context;
|
|
|
84b277 |
+ if (c[0] == '-') {
|
|
|
84b277 |
+ c++;
|
|
|
84b277 |
+ ignore = true;
|
|
|
84b277 |
+ } else
|
|
|
84b277 |
+ ignore = false;
|
|
|
84b277 |
+
|
|
|
84b277 |
+ err = setexeccon(c);
|
|
|
84b277 |
+ if (err < 0 && !ignore) {
|
|
|
84b277 |
r = EXIT_SELINUX_CONTEXT;
|
|
|
84b277 |
goto fail_child;
|
|
|
84b277 |
}
|