diff options
| author | Michal Sekletar <msekleta@redhat.com> | 2014-07-24 10:40:28 +0200 |
|---|---|---|
| committer | Michal Sekletar <msekleta@redhat.com> | 2014-09-19 12:32:06 +0200 |
| commit | 16115b0a7b7cdf08fb38084d857d572d8a9088dc (patch) | |
| tree | 2695c51cb8574ca2f1c6ea7bb90db11c4b5a88a2 /src/core/execute.c | |
| parent | 863f3ce0d050f005839f6aa41fe7bac5478a7b5e (diff) | |
socket: introduce SELinuxContextFromNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index db755777c..8c9dfde00 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -84,6 +84,7 @@ #include "mkdir.h" #include "apparmor-util.h" #include "bus-kernel.h" +#include "label.h" #ifdef HAVE_SECCOMP #include "seccomp-util.h" @@ -1665,11 +1666,29 @@ static int exec_child(ExecCommand *command, #endif #ifdef HAVE_SELINUX - if (context->selinux_context && use_selinux()) { - err = setexeccon(context->selinux_context); - if (err < 0 && !context->selinux_context_ignore) { - *error = EXIT_SELINUX_CONTEXT; - return err; + if (use_selinux()) { + if (context->selinux_context) { + err = setexeccon(context->selinux_context); + if (err < 0 && !context->selinux_context_ignore) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + } + + if (params->selinux_context_net && socket_fd >= 0) { + _cleanup_free_ char *label = NULL; + + err = label_get_child_mls_label(socket_fd, command->path, &label); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } + + err = setexeccon(label); + if (err < 0) { + *error = EXIT_SELINUX_CONTEXT; + return err; + } } } #endif |