teknoraver / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone

Blame SOURCES/0243-selinux-fix-missing-SELinux-unit-access-check.patch

1ff636
From 0b630ecdbfe20ddff9da4f4b6712e80b745b5ab2 Mon Sep 17 00:00:00 2001
1ff636
From: HATAYAMA Daisuke <d.hatayama@jp.fujitsu.com>
1ff636
Date: Wed, 24 Jun 2015 12:01:26 +0900
1ff636
Subject: [PATCH] selinux: fix missing SELinux unit access check
1ff636
1ff636
Currently, SELinux unit access check is not performed if a given unit
1ff636
file has not been registered in a hash table. This is because function
1ff636
manager_get_unit() only tries to pick up a Unit object from a Unit
1ff636
hash table. Instead, we use function manager_load_unit() searching
1ff636
Unit file pathes for the given Unit file.
1ff636
1ff636
Cherry-picked from: 4938696301a914ec26bcfc60bb99a1e9624e378
1ff636
Resolves: #1185120
1ff636
---
1ff636
 src/core/selinux-access.c | 12 ++++++------
1ff636
 1 file changed, 6 insertions(+), 6 deletions(-)
1ff636
1ff636
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
1ff636
index 91460b8..f11247c 100644
1ff636
--- a/src/core/selinux-access.c
1ff636
+++ b/src/core/selinux-access.c
1ff636
@@ -272,12 +272,12 @@ int mac_selinux_unit_access_check_strv(char **units,
1ff636
         int r;
1ff636
 
1ff636
         STRV_FOREACH(i, units) {
1ff636
-                u = manager_get_unit(m, *i);
1ff636
-                if (u) {
1ff636
-                        r = mac_selinux_unit_access_check(u, message, permission, error);
1ff636
-                        if (r < 0)
1ff636
-                                return r;
1ff636
-                }
1ff636
+                r = manager_load_unit(m, *i, NULL, error, &u);
1ff636
+                if (r < 0)
1ff636
+                        return r;
1ff636
+                r = mac_selinux_unit_access_check(u, message, permission, error);
1ff636
+                if (r < 0)
1ff636
+                        return r;
1ff636
         }
1ff636
 #endif
1ff636
         return 0;