summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGary Tierney <gary.tierney@gmx.com>2017-05-02 17:42:19 +0100
committerSven Eden <yamakuzure@gmx.net>2017-07-25 09:46:52 +0200
commite666102220558dbb43210176129b3ea8245c578c (patch)
treefedc9056d8431171f29b5ec35295f389b0d30234
parentd5aacbb6077b4e45fd36fbff6843595aa64d2288 (diff)
Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"
This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574. The previously mentioned commit inadvertently broke a lot of SELinux related functionality for both unprivileged users and elogind instances running as MANAGER_USER. In particular, setting the correct SELinux context after a User= directive is used would fail to work since we attempt to set the security context after changing UID. Additionally, it causes activated socket units to be mislabeled for elogind --user processes since setsockcreatecon() would never be called. Reverting this fixes the issues with labeling outlined above, and reinstates SELinux access checks on unprivileged user services.
-rw-r--r--src/basic/selinux-util.c20
-rw-r--r--src/basic/selinux-util.h1
-rw-r--r--src/libelogind/sd-bus/bus-socket.c2
-rw-r--r--src/test/test-selinux.c8
4 files changed, 10 insertions, 21 deletions
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index 2a9dd7c8c..79ce6a856 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -53,7 +53,7 @@ static struct selabel_handle *label_hnd = NULL;
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif
-bool mac_selinux_have(void) {
+bool mac_selinux_use(void) {
#ifdef HAVE_SELINUX
if (cached_use < 0)
cached_use = is_selinux_enabled() > 0;
@@ -64,16 +64,6 @@ bool mac_selinux_have(void) {
#endif
}
-bool mac_selinux_use(void) {
- if (!mac_selinux_have())
- return false;
-
- /* Never try to configure SELinux features if we aren't
- * root */
-
- return getuid() == 0;
-}
-
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
@@ -206,7 +196,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
assert(exe);
assert(label);
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -232,7 +222,7 @@ int mac_selinux_get_our_label(char **label) {
assert(label);
#ifdef HAVE_SELINUX
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(label);
@@ -256,7 +246,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
assert(exe);
assert(label);
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -311,7 +301,7 @@ char* mac_selinux_free(char *label) {
if (!label)
return NULL;
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return NULL;
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index fa41a65f8..2a71afefa 100644
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -26,7 +26,6 @@
#include "macro.h"
bool mac_selinux_use(void);
-bool mac_selinux_have(void);
void mac_selinux_retest(void);
int mac_selinux_init(void);
diff --git a/src/libelogind/sd-bus/bus-socket.c b/src/libelogind/sd-bus/bus-socket.c
index e6ed15eb7..8b25002f0 100644
--- a/src/libelogind/sd-bus/bus-socket.c
+++ b/src/libelogind/sd-bus/bus-socket.c
@@ -607,7 +607,7 @@ static void bus_get_peercred(sd_bus *b) {
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
r = getpeersec(b->input_fd, &b->label);
if (r < 0 && r != -EOPNOTSUPP)
log_debug_errno(r, "Failed to determine peer security context: %m");
diff --git a/src/test/test-selinux.c b/src/test/test-selinux.c
index 5687e1e2f..964a228a5 100644
--- a/src/test/test-selinux.c
+++ b/src/test/test-selinux.c
@@ -35,16 +35,16 @@ static void test_testing(void) {
b = mac_selinux_use();
log_info("mac_selinux_use → %s", yes_no(b));
- b = mac_selinux_have();
- log_info("mac_selinux_have → %s", yes_no(b));
+ b = mac_selinux_use();
+ log_info("mac_selinux_use → %s", yes_no(b));
mac_selinux_retest();
b = mac_selinux_use();
log_info("mac_selinux_use → %s", yes_no(b));
- b = mac_selinux_have();
- log_info("mac_selinux_have → %s", yes_no(b));
+ b = mac_selinux_use();
+ log_info("mac_selinux_use → %s", yes_no(b));
}
static void test_loading(void) {