ryantimwilson / rpms / systemd

Forked from rpms/systemd 3 months ago
Clone
803fb7
From e3f34eb2e0edc9cefe92e58e2ad4c98bcccf2090 Mon Sep 17 00:00:00 2001
803fb7
From: Lukas Nykryn <lnykryn@redhat.com>
803fb7
Date: Thu, 27 Aug 2015 10:33:15 +0200
803fb7
Subject: [PATCH] selinux: fix check for transient units
803fb7
803fb7
SELinux does not have a path to check for a snapshot service creation.
803fb7
This ends up giving us a bogus check.
803fb7
803fb7
On snapshot creation we should check if the remote process type, has the
803fb7
ability to start a service with the type that systemd is running with.
803fb7
803fb7
Based on patch from Vaclav Pavlin and Dan Walsh
803fb7
http://lists.freedesktop.org/archives/systemd-devel/2013-November/014021.html
803fb7
803fb7
RHEL only
803fb7
Resolves: #1255129
803fb7
---
803fb7
 src/core/dbus-manager.c   |  4 ++--
803fb7
 src/core/selinux-access.c | 11 ++++++-----
803fb7
 src/core/selinux-access.h |  9 ++++++---
803fb7
 3 files changed, 14 insertions(+), 10 deletions(-)
803fb7
803fb7
diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
803fb7
index 2bc37ba60..1ec350e03 100644
803fb7
--- a/src/core/dbus-manager.c
803fb7
+++ b/src/core/dbus-manager.c
803fb7
@@ -734,7 +734,7 @@ static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi
803fb7
         if (mode < 0)
803fb7
                 return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode);
803fb7
 
803fb7
-        r = mac_selinux_access_check(message, "start", error);
803fb7
+        r = mac_selinux_runtime_unit_access_check(message, "start", error);
803fb7
         if (r < 0)
803fb7
                 return r;
803fb7
 
803fb7
@@ -1092,7 +1092,7 @@ static int method_create_snapshot(sd_bus *bus, sd_bus_message *message, void *us
803fb7
         assert(message);
803fb7
         assert(m);
803fb7
 
803fb7
-        r = mac_selinux_access_check(message, "start", error);
803fb7
+        r = mac_selinux_runtime_unit_access_check(message, "start", error);
803fb7
         if (r < 0)
803fb7
                 return r;
803fb7
 
803fb7
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
803fb7
index ce4f39459..91460b8af 100644
803fb7
--- a/src/core/selinux-access.c
803fb7
+++ b/src/core/selinux-access.c
803fb7
@@ -175,6 +175,7 @@ void mac_selinux_access_free(void) {
803fb7
 */
803fb7
 int mac_selinux_generic_access_check(
803fb7
                 sd_bus_message *message,
803fb7
+                bool system,
803fb7
                 const char *path,
803fb7
                 const char *permission,
803fb7
                 sd_bus_error *error) {
803fb7
@@ -213,7 +214,9 @@ int mac_selinux_generic_access_check(
803fb7
         if (r < 0)
803fb7
                 goto finish;
803fb7
 
803fb7
-        if (path) {
803fb7
+        tclass = "service";
803fb7
+
803fb7
+        if (path && !system) {
803fb7
                 /* Get the file context of the unit file */
803fb7
 
803fb7
                 r = getfilecon(path, &fcon);
803fb7
@@ -221,16 +224,14 @@ int mac_selinux_generic_access_check(
803fb7
                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get file context on %s.", path);
803fb7
                         goto finish;
803fb7
                 }
803fb7
-
803fb7
-                tclass = "service";
803fb7
         } else {
803fb7
                 r = getcon(&fcon);
803fb7
                 if (r < 0) {
803fb7
                         r = sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
803fb7
                         goto finish;
803fb7
                 }
803fb7
-
803fb7
-                tclass = "system";
803fb7
+                if (system)
803fb7
+                        tclass = "system";
803fb7
         }
803fb7
 
803fb7
         sd_bus_creds_get_cmdline(creds, &cmdline);
803fb7
diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
803fb7
index dd1e8bb9d..7dc271b35 100644
803fb7
--- a/src/core/selinux-access.h
803fb7
+++ b/src/core/selinux-access.h
803fb7
@@ -28,21 +28,24 @@
803fb7
 
803fb7
 void mac_selinux_access_free(void);
803fb7
 
803fb7
-int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
803fb7
+int mac_selinux_generic_access_check(sd_bus_message *message, bool system, const char *path, const char *permission, sd_bus_error *error);
803fb7
 
803fb7
 int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
803fb7
 
803fb7
 #ifdef HAVE_SELINUX
803fb7
 
803fb7
 #define mac_selinux_access_check(message, permission, error) \
803fb7
-        mac_selinux_generic_access_check((message), NULL, (permission), (error))
803fb7
+        mac_selinux_generic_access_check((message), true, NULL, (permission), (error))
803fb7
 
803fb7
 #define mac_selinux_unit_access_check(unit, message, permission, error) \
803fb7
         ({                                                              \
803fb7
                 Unit *_unit = (unit);                                   \
803fb7
-                mac_selinux_generic_access_check((message), _unit->source_path ?: _unit->fragment_path, (permission), (error)); \
803fb7
+                mac_selinux_generic_access_check((message), false, _unit->source_path ?: _unit->fragment_path, (permission), (error)); \
803fb7
         })
803fb7
 
803fb7
+#define mac_selinux_runtime_unit_access_check(message, permission, error) \
803fb7
+        mac_selinux_generic_access_check((message), false, NULL, (permission), (error))
803fb7
+
803fb7
 #else
803fb7
 
803fb7
 #define mac_selinux_access_check(message, permission, error) 0