Also remove call to security_check_context, as this doesn't serve anything,
since
setexeccon will fail anyway.
---
man/systemd.exec.xml | 4 +++-
src/core/execute.c | 14 ++++++++------
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 4281c03..ecf48a7 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -956,7 +956,9 @@
<listitem><para>Set the SELinux context of the
executed process. If set, this will override
the
automated domain transition. However, the
policy
- still need to autorize the transition. See
+ still need to autorize the transition. This
directive
+ is ignored if SELinux is disabled. If prefixed
by <literal>-</literal>,
+ all errors will be ignored. See
<citerefentry><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
for details.</para></listitem>
</varlistentry>
diff --git a/src/core/execute.c b/src/core/execute.c
index 474a4af..a4b3405 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -72,6 +72,7 @@
#include "fileio.h"
#include "unit.h"
#include "async.h"
+#include "selinux-util.h"
#define IDLE_TIMEOUT_USEC (5*USEC_PER_SEC)
#define IDLE_TIMEOUT2_USEC (1*USEC_PER_SEC)
@@ -1570,13 +1571,14 @@ int exec_spawn(ExecCommand *command,
}
#ifdef HAVE_SELINUX
if (context->selinux_context && use_selinux()) {
- err =
security_check_context(context->selinux_context);
- if (err < 0) {
- r = EXIT_SELINUX_CONTEXT;
- goto fail_child;
+ bool ignore = false;
+ char* c = context->selinux_context;
+ if (c[0] == '-') {
+ c++;
+ ignore = true;
}
- err = setexeccon(context->selinux_context);
- if (err < 0) {
+ err = setexeccon(c);
+ if (err < 0 && !ignore) {
r = EXIT_SELINUX_CONTEXT;
goto fail_child;
}
--
1.8.5.3
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
