Merge pull request #16925 from cgzones/selinux_create_label

selinux/core: create several file objects with default SELinux context
author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2020-09-01 22:19:52 +0200
committer: GitHub <noreply@github.com> 2020-09-01 22:19:52 +0200
commit: 47b04ef6327bac408ed724f4e94967ed36b72877 (patch)
tree: 0f0656c4252d797293b1236c06fb10d2245a81c7
parent: Merge pull request #16911 from keszybz/userdb-json-invalid-utf8 (diff)
parent: selinux: create /run/systemd/userdb directory and sockets with default SELinu... (diff)
download: systemd-47b04ef6327bac408ed724f4e94967ed36b72877.tar.xz
systemd-47b04ef6327bac408ed724f4e94967ed36b72877.zip
6 files changed, 35 insertions, 8 deletions
diff --git a/src/basic/label.c b/src/basic/label.c
index 741c43c2b9..107028e068 100644
--- a/src/basic/label.c
+++ b/src/basic/label.c
@@ -5,6 +5,7 @@
 #include <unistd.h>
 
 #include "btrfs-util.h"
+#include "fs-util.h"
 #include "label.h"
 #include "macro.h"
 #include "selinux-util.h"
@@ -45,6 +46,27 @@ int symlink_label(const char *old_path, const char *new_path) {
         return mac_smack_fix(new_path, 0);
 }
 
+int symlink_atomic_label(const char *from, const char *to) {
+        int r;
+
+        assert(from);
+        assert(to);
+
+        r = mac_selinux_create_file_prepare(to, S_IFLNK);
+        if (r < 0)
+                return r;
+
+        if (symlink_atomic(from, to) < 0)
+                r = -errno;
+
+        mac_selinux_create_file_clear();
+
+        if (r < 0)
+                return r;
+
+        return mac_smack_fix(to, 0);
+}
+
 int mknod_label(const char *pathname, mode_t mode, dev_t dev) {
         int r;
 
diff --git a/src/basic/label.h b/src/basic/label.h
index 6dc0f710ef..d99d824b4a 100644
--- a/src/basic/label.h
+++ b/src/basic/label.h
@@ -17,6 +17,7 @@ static inline int label_fix(const char *path, LabelFixFlags flags) {
 int mkdir_label(const char *path, mode_t mode);
 int mkdirat_label(int dirfd, const char *path, mode_t mode);
 int symlink_label(const char *old_path, const char *new_path);
+int symlink_atomic_label(const char *from, const char *to);
 int mknod_label(const char *pathname, mode_t mode, dev_t dev);
 
 int btrfs_subvol_make_label(const char *path);
diff --git a/src/core/core-varlink.c b/src/core/core-varlink.c
index 54f1cc7974..5a586f1e59 100644
--- a/src/core/core-varlink.c
+++ b/src/core/core-varlink.c
@@ -291,7 +291,7 @@ int manager_varlink_init(Manager *m) {
                 return log_error_errno(r, "Failed to register varlink methods: %m");
 
         if (!MANAGER_IS_TEST_RUN(m)) {
-                (void) mkdir_p("/run/systemd/userdb", 0755);
+                (void) mkdir_p_label("/run/systemd/userdb", 0755);
 
                 r = varlink_server_listen_address(s, "/run/systemd/userdb/io.systemd.DynamicUser", 0666);
                 if (r < 0)
diff --git a/src/core/manager.c b/src/core/manager.c
index bd02337faf..5372e81d97 100644
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -63,6 +63,7 @@
 #include "ratelimit.h"
 #include "rlimit-util.h"
 #include "rm-rf.h"
+#include "selinux-util.h"
 #include "serialize.h"
 #include "signal-util.h"
 #include "socket-util.h"
@@ -963,9 +964,9 @@ static int manager_setup_notify(Manager *m) {
                 (void) mkdir_parents_label(m->notify_socket, 0755);
                 (void) sockaddr_un_unlink(&sa.un);
 
-                r = bind(fd, &sa.sa, sa_len);
+                r = mac_selinux_bind(fd, &sa.sa, sa_len);
                 if (r < 0)
-                        return log_error_errno(errno, "bind(%s) failed: %m", m->notify_socket);
+                        return log_error_errno(r, "bind(%s) failed: %m", m->notify_socket);
 
                 r = setsockopt_int(fd, SOL_SOCKET, SO_PASSCRED, true);
                 if (r < 0)
diff --git a/src/core/unit.c b/src/core/unit.c
index 518a07f619..302c82067f 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -24,10 +24,10 @@
 #include "fileio-label.h"
 #include "fileio.h"
 #include "format-util.h"
-#include "fs-util.h"
 #include "id128-util.h"
 #include "io-util.h"
 #include "install.h"
+#include "label.h"
 #include "load-dropin.h"
 #include "load-fragment.h"
 #include "log.h"
@@ -5603,7 +5603,7 @@ static int unit_export_invocation_id(Unit *u) {
         if (r < 0)
                 return log_unit_debug_errno(u, r, "Failed to get invocation path: %m");
 
-        r = symlink_atomic(u->invocation_id_string, p);
+        r = symlink_atomic_label(u->invocation_id_string, p);
         if (r < 0)
                 return log_unit_debug_errno(u, r, "Failed to create invocation ID symlink %s: %m", p);
 
diff --git a/src/shared/varlink.c b/src/shared/varlink.c
index 99ae9265f9..a84c51f2af 100644
--- a/src/shared/varlink.c
+++ b/src/shared/varlink.c
@@ -9,6 +9,7 @@
 #include "io-util.h"
 #include "list.h"
 #include "process-util.h"
+#include "selinux-util.h"
 #include "set.h"
 #include "socket-util.h"
 #include "string-table.h"
@@ -2249,9 +2250,11 @@ int varlink_server_listen_address(VarlinkServer *s, const char *address, mode_t
 
         (void) sockaddr_un_unlink(&sockaddr.un);
 
-        RUN_WITH_UMASK(~m & 0777)
-                if (bind(fd, &sockaddr.sa, sockaddr_len) < 0)
-                        return -errno;
+        RUN_WITH_UMASK(~m & 0777) {
+                r = mac_selinux_bind(fd, &sockaddr.sa, sockaddr_len);
+                if (r < 0)
+                        return r;
+        }
 
         if (listen(fd, SOMAXCONN) < 0)
                 return -errno;
author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2020-09-01 22:19:52 +0200
committer	GitHub <noreply@github.com>	2020-09-01 22:19:52 +0200
commit	47b04ef6327bac408ed724f4e94967ed36b72877 (patch)
tree	0f0656c4252d797293b1236c06fb10d2245a81c7
parent	Merge pull request #16911 from keszybz/userdb-json-invalid-utf8 (diff)
parent	selinux: create /run/systemd/userdb directory and sockets with default SELinu... (diff)
download	systemd-47b04ef6327bac408ed724f4e94967ed36b72877.tar.xz systemd-47b04ef6327bac408ed724f4e94967ed36b72877.zip