|
 |
923a60 |
From 0b630ecdbfe20ddff9da4f4b6712e80b745b5ab2 Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
|
|
|
923a60 |
Date: Wed, 24 Jun 2015 12:01:26 +0900
|
|
|
923a60 |
Subject: [PATCH] selinux: fix missing SELinux unit access check
|
|
|
923a60 |
|
|
|
923a60 |
Currently, SELinux unit access check is not performed if a given unit
|
|
|
923a60 |
file has not been registered in a hash table. This is because function
|
|
|
923a60 |
manager_get_unit() only tries to pick up a Unit object from a Unit
|
|
|
923a60 |
hash table. Instead, we use function manager_load_unit() searching
|
|
|
923a60 |
Unit file pathes for the given Unit file.
|
|
|
923a60 |
|
|
|
923a60 |
Cherry-picked from: 4938696301a914ec26bcfc60bb99a1e9624e378
|
|
|
923a60 |
Resolves: #1185120
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/selinux-access.c | 12 ++++++------
|
|
|
923a60 |
1 file changed, 6 insertions(+), 6 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
|
|
|
923a60 |
index 91460b8af9..f11247c092 100644
|
|
|
923a60 |
--- a/src/core/selinux-access.c
|
|
|
923a60 |
+++ b/src/core/selinux-access.c
|
|
|
923a60 |
@@ -272,12 +272,12 @@ int mac_selinux_unit_access_check_strv(char **units,
|
|
|
923a60 |
int r;
|
|
|
923a60 |
|
|
|
923a60 |
STRV_FOREACH(i, units) {
|
|
|
923a60 |
- u = manager_get_unit(m, *i);
|
|
|
923a60 |
- if (u) {
|
|
|
923a60 |
- r = mac_selinux_unit_access_check(u, message, permission, error);
|
|
|
923a60 |
- if (r < 0)
|
|
|
923a60 |
- return r;
|
|
|
923a60 |
- }
|
|
|
923a60 |
+ r = manager_load_unit(m, *i, NULL, error, &u);
|
|
|
923a60 |
+ if (r < 0)
|
|
|
923a60 |
+ return r;
|
|
|
923a60 |
+ r = mac_selinux_unit_access_check(u, message, permission, error);
|
|
|
923a60 |
+ if (r < 0)
|
|
|
923a60 |
+ return r;
|
|
|
923a60 |
}
|
|
|
923a60 |
#endif
|
|
|
923a60 |
return 0;
|