| From e1a9c6a30820620c482ed597ff6920a549c49bec Mon Sep 17 00:00:00 2001 |
| From: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com> |
| Date: Wed, 26 Aug 2015 12:07:31 +0900 |
| Subject: [PATCH] selinux: fix regression of systemctl subcommands when |
| absolute unit file paths are specified |
| |
| The commit 4938696301a914ec26bcfc60bb99a1e9624e3789 overlooked the |
| fact that unit files can be specified as unit file paths, not unit |
| file names, wrongly passing a unit file path to the 1st argument of |
| manager_load_unit() that handles it as a unit file name. As a result, |
| the following 4 systemctl subcommands: |
| |
| enable |
| disable |
| reenable |
| link |
| mask |
| unmask |
| |
| fail with the following error message: |
| |
| # systemctl enable /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. |
| # systemctl disable /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. |
| # systemctl reenable /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. |
| # cp /usr/lib/systemd/system/kdump.service /tmp/ |
| # systemctl link /tmp/kdump.service |
| Failed to execute operation: Unit name /tmp/kdump.service is not valid. |
| # systemctl mask /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. |
| # systemctl unmask /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Unit name /usr/lib/systemd/system/kdump.service is not valid. |
| |
| To fix the issue, first check whether a unit file is passed as a unit |
| file name or a unit file path, and then pass the unit file to the |
| appropreate argument of manager_load_unit(). |
| |
| By the way, even with this commit mask and unmask reject unit file |
| paths as follows and this is a correct behavior: |
| |
| # systemctl mask /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Invalid argument |
| # systemctl unmask /usr/lib/systemd/system/kdump.service |
| Failed to execute operation: Invalid argument |
| |
| Cherry-picked from: 9fa7c1aeb9ec7e9d9f35184ce5c9d334f057d9de |
| Related: #1185120 |
| |
| src/core/selinux-access.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c |
| index 297372d126..6cc0a49b92 100644 |
| |
| |
| @@ -42,6 +42,7 @@ |
| #include "selinux-util.h" |
| #include "audit-fd.h" |
| #include "strv.h" |
| +#include "path-util.h" |
| |
| static bool initialized = false; |
| |
| @@ -272,7 +273,10 @@ int mac_selinux_unit_access_check_strv(char **units, |
| int r; |
| |
| STRV_FOREACH(i, units) { |
| - r = manager_load_unit(m, *i, NULL, error, &u); |
| + if (is_path(*i)) |
| + r = manager_load_unit(m, NULL, *i, error, &u); |
| + else |
| + r = manager_load_unit(m, *i, NULL, error, &u); |
| if (r < 0) |
| return r; |
| r = mac_selinux_unit_access_check(u, message, permission, error); |