diff options
author | Gary Tierney <gary.tierney@gmx.com> | 2017-05-02 17:42:19 +0100 |
---|---|---|
committer | Gary Tierney <gary.tierney@gmx.com> | 2017-05-12 14:43:39 +0100 |
commit | 6d395665e5ce7b64f3de4c9550c0779843e6cc44 (patch) | |
tree | 3b18a7a2ac745fac0393a23f2eab61479e64e855 /src/journal/journald-native.c | |
parent | 6e4177315f632e03afea43b6d99100bd434f3403 (diff) | |
download | systemd-6d395665e5ce7b64f3de4c9550c0779843e6cc44.tar.gz |
Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"
This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
Diffstat (limited to 'src/journal/journald-native.c')
-rw-r--r-- | src/journal/journald-native.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index c9bf3832c7..74b00ad47e 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -479,7 +479,7 @@ int server_open_native_socket(Server*s) { return log_error_errno(errno, "SO_PASSCRED failed: %m"); #ifdef HAVE_SELINUX - if (mac_selinux_have()) { + if (mac_selinux_use()) { r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); if (r < 0) log_warning_errno(errno, "SO_PASSSEC failed: %m"); |