diff options
| author | Gary Tierney <gary.tierney@gmx.com> | 2017-05-02 17:42:19 +0100 |
|---|---|---|
| committer | Gary Tierney <gary.tierney@gmx.com> | 2017-05-12 14:43:39 +0100 |
| commit | 6d395665e5ce7b64f3de4c9550c0779843e6cc44 (patch) | |
| tree | 3b18a7a2ac745fac0393a23f2eab61479e64e855 /src/libsystemd | |
| parent | 6e4177315f632e03afea43b6d99100bd434f3403 (diff) | |
| download | systemd-6d395665e5ce7b64f3de4c9550c0779843e6cc44.tar.gz | |
Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"
This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
Diffstat (limited to 'src/libsystemd')
| -rw-r--r-- | src/libsystemd/sd-bus/bus-socket.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c index e6ed15eb71..8b25002f01 100644 --- a/src/libsystemd/sd-bus/bus-socket.c +++ b/src/libsystemd/sd-bus/bus-socket.c @@ -607,7 +607,7 @@ static void bus_get_peercred(sd_bus *b) { b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0; /* Get the SELinux context of the peer */ - if (mac_selinux_have()) { + if (mac_selinux_use()) { r = getpeersec(b->input_fd, &b->label); if (r < 0 && r != -EOPNOTSUPP) log_debug_errno(r, "Failed to determine peer security context: %m"); |