Using ConditionSELinux a unit can depend on the SELinux state:
disabled, permissive, enforcing
A bool argument is also accepted:
no = disabled
yes = permissive | enforcing
I'd like to use this feature for a unit that creates /.autorelabel if
SELinux is disabled, to ensure a relabel is done automatically when the
system is later rebooted with SELinux enabled.
---
src/condition.c | 41 +++++++++++++++++++++++++++++++++++++++++
src/condition.h | 1 +
src/load-fragment.c | 1 +
3 files changed, 43 insertions(+), 0 deletions(-)
diff --git a/src/condition.c b/src/condition.c
index 5ab77d8..60e696f 100644
--- a/src/condition.c
+++ b/src/condition.c
@@ -24,6 +24,10 @@
#include <string.h>
#include <unistd.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
#include "util.h"
#include "condition.h"
@@ -128,6 +132,39 @@ static bool test_virtualization(const char *parameter) {
return streq(parameter, id);
}
+static bool test_selinux(const char *parameter) {
+ int enforce, b;
+ const char *mode;
+
+#ifdef HAVE_SELINUX
+ static const char * const mode_table[] = {
+ "disabled",
+ "permissive",
+ "enforcing"
+ };
+
+ enforce = security_getenforce();
+ assert(enforce >= -1 && enforce <= 1);
+ mode = mode_table[enforce + 1];
+#else
+ enforce = -1;
+ mode = "disabled";
+#endif
+
+ if (streq(parameter, mode))
+ return true;
+
+ b = parse_boolean(parameter);
+
+ if (enforce >= 0 && b > 0)
+ return true;
+
+ if (enforce < 0 && b == 0)
+ return true;
+
+ return false;
+}
+
bool condition_test(Condition *c) {
assert(c);
@@ -157,6 +194,9 @@ bool condition_test(Condition *c) {
case CONDITION_VIRTUALIZATION:
return test_virtualization(c->parameter) == !c->negate;
+ case CONDITION_SELINUX:
+ return test_selinux(c->parameter) == !c->negate;
+
case CONDITION_NULL:
return !c->negate;
@@ -220,6 +260,7 @@ static const char* const
condition_type_table[_CONDITION_TYPE_MAX] = {
[CONDITION_DIRECTORY_NOT_EMPTY] = "ConditionDirectoryNotEmpty",
[CONDITION_KERNEL_COMMAND_LINE] = "ConditionKernelCommandLine",
[CONDITION_VIRTUALIZATION] = "ConditionVirtualization",
+ [CONDITION_SELINUX] = "ConditionSELinux",
[CONDITION_NULL] = "ConditionNull"
};
diff --git a/src/condition.h b/src/condition.h
index 9913c8c..0167b61 100644
--- a/src/condition.h
+++ b/src/condition.h
@@ -32,6 +32,7 @@ typedef enum ConditionType {
CONDITION_DIRECTORY_NOT_EMPTY,
CONDITION_KERNEL_COMMAND_LINE,
CONDITION_VIRTUALIZATION,
+ CONDITION_SELINUX,
CONDITION_NULL,
_CONDITION_TYPE_MAX,
_CONDITION_TYPE_INVALID = -1
diff --git a/src/load-fragment.c b/src/load-fragment.c
index cb8c250..94adc6f 100644
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@@ -1853,6 +1853,7 @@ static int load_from_path(Unit *u, const char *path) {
{ "ConditionDirectoryNotEmpty", config_parse_condition_path,
CONDITION_DIRECTORY_NOT_EMPTY, u, "Unit" },
{ "ConditionKernelCommandLine", config_parse_condition_string,
CONDITION_KERNEL_COMMAND_LINE, u, "Unit" },
{ "ConditionVirtualization", config_parse_condition_string,
CONDITION_VIRTUALIZATION, u, "Unit" },
+ { "ConditionSELinux", config_parse_condition_string,
CONDITION_SELINUX, u, "Unit" },
{ "ConditionNull", config_parse_condition_null, 0,
u, "Unit" },
{ "PIDFile", config_parse_path, 0,
&u->service.pid_file, "Service" },
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
