On Wed, 10.06.15 14:40, HATAYAMA Daisuke (d.hatay...@jp.fujitsu.com) wrote:
> From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001 > From: HATAYAMA Daisuke <d.hatay...@jp.fujitsu.com> > Date: Wed, 10 Jun 2015 14:10:31 +0900 > Subject: [PATCH] selinux: fix missing SELinux unit access check > > Currently, SELinux unit access check is not performed if a given unit > file has not been registered in a hash table. This is because function > manager_get_unit() only tries to pick up a Unit object from a Unit > hash table. Instead, we use function manager_load_unit() searching > Unit file pathes for the given Unit file. > --- > src/core/selinux-access.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > v2: > - checking an error status by u->load_error to cover UNIT_ERROR case. > > diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c > index decd42f..ac52906 100644 > --- a/src/core/selinux-access.c > +++ b/src/core/selinux-access.c > @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units, > int r; > > STRV_FOREACH(i, units) { > - u = manager_get_unit(m, *i); > + r = manager_load_unit(m, *i, NULL, error, &u); > + if (r < 0) > + return r; > if (u) { > + if (u->load_error != 0) > + return u->load_error; > r = mac_selinux_unit_access_check(u, message, > permission, error); > if (r < 0) > return r; I commented on the issue now in github, could you please follow up there? https://github.com/systemd/systemd/pull/145 Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel