|
 |
923a60 |
From e1a9c6a30820620c482ed597ff6920a549c49bec Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
|
|
|
923a60 |
Date: Wed, 26 Aug 2015 12:07:31 +0900
|
|
|
923a60 |
Subject: [PATCH] selinux: fix regression of systemctl subcommands when
|
|
|
923a60 |
absolute unit file paths are specified
|
|
|
923a60 |
|
|
|
923a60 |
The commit 4938696301a914ec26bcfc60bb99a1e9624e3789 overlooked the
|
|
|
923a60 |
fact that unit files can be specified as unit file paths, not unit
|
|
|
923a60 |
file names, wrongly passing a unit file path to the 1st argument of
|
|
|
923a60 |
manager_load_unit() that handles it as a unit file name. As a result,
|
|
|
923a60 |
the following 4 systemctl subcommands:
|
|
|
923a60 |
|
|
|
923a60 |
enable
|
|
|
923a60 |
disable
|
|
|
923a60 |
reenable
|
|
|
923a60 |
link
|
|
|
923a60 |
mask
|
|
|
923a60 |
unmask
|
|
|
923a60 |
|
|
|
923a60 |
fail with the following error message:
|
|
|
923a60 |
|
|
|
923a60 |
# systemctl enable /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid.
|
|
|
923a60 |
# systemctl disable /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid.
|
|
|
923a60 |
# systemctl reenable /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid.
|
|
|
923a60 |
# cp /usr/lib/systemd/system/kdump.service /tmp/
|
|
|
923a60 |
# systemctl link /tmp/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /tmp/kdump.service is not valid.
|
|
|
923a60 |
# systemctl mask /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid.
|
|
|
923a60 |
# systemctl unmask /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid.
|
|
|
923a60 |
|
|
|
923a60 |
To fix the issue, first check whether a unit file is passed as a unit
|
|
|
923a60 |
file name or a unit file path, and then pass the unit file to the
|
|
|
923a60 |
appropreate argument of manager_load_unit().
|
|
|
923a60 |
|
|
|
923a60 |
By the way, even with this commit mask and unmask reject unit file
|
|
|
923a60 |
paths as follows and this is a correct behavior:
|
|
|
923a60 |
|
|
|
923a60 |
# systemctl mask /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Invalid argument
|
|
|
923a60 |
# systemctl unmask /usr/lib/systemd/system/kdump.service
|
|
|
923a60 |
Failed to execute operation: Invalid argument
|
|
|
923a60 |
|
|
|
923a60 |
Cherry-picked from: 9fa7c1aeb9ec7e9d9f35184ce5c9d334f057d9de
|
|
|
923a60 |
Related: #1185120
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/selinux-access.c | 6 +++++-
|
|
|
923a60 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
|
|
|
923a60 |
index 297372d126..6cc0a49b92 100644
|
|
|
923a60 |
--- a/src/core/selinux-access.c
|
|
|
923a60 |
+++ b/src/core/selinux-access.c
|
|
|
923a60 |
@@ -42,6 +42,7 @@
|
|
|
923a60 |
#include "selinux-util.h"
|
|
|
923a60 |
#include "audit-fd.h"
|
|
|
923a60 |
#include "strv.h"
|
|
|
923a60 |
+#include "path-util.h"
|
|
|
923a60 |
|
|
|
923a60 |
static bool initialized = false;
|
|
|
923a60 |
|
|
|
923a60 |
@@ -272,7 +273,10 @@ int mac_selinux_unit_access_check_strv(char **units,
|
|
|
923a60 |
int r;
|
|
|
923a60 |
|
|
|
923a60 |
STRV_FOREACH(i, units) {
|
|
|
923a60 |
- r = manager_load_unit(m, *i, NULL, error, &u);
|
|
|
923a60 |
+ if (is_path(*i))
|
|
|
923a60 |
+ r = manager_load_unit(m, NULL, *i, error, &u);
|
|
|
923a60 |
+ else
|
|
|
923a60 |
+ r = manager_load_unit(m, *i, NULL, error, &u);
|
|
|
923a60 |
if (r < 0)
|
|
|
923a60 |
return r;
|
|
|
923a60 |
r = mac_selinux_unit_access_check(u, message, permission, error);
|