diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-10-14 04:27:43 +0200 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-10-14 04:37:13 +0200 |
commit | a5a807e63a50314e190e9166d8a453cd8dd258e3 (patch) | |
tree | d906ba643b17791f74fd4611a1eb679392e8a42e /src/resolve | |
parent | resolved: split out writing of resolv.conf (diff) | |
download | systemd-a5a807e63a50314e190e9166d8a453cd8dd258e3.tar.xz systemd-a5a807e63a50314e190e9166d8a453cd8dd258e3.zip |
resolved: apply label to /run/systemd/resolve/resolv.conf
Under an SELinux system, we want the file that is created to
have a proper context, different from the default for files in /run.
This is so that the policy can give access to almost everyone to
this file.
Diffstat (limited to 'src/resolve')
-rw-r--r-- | src/resolve/resolved-manager.c | 3 | ||||
-rw-r--r-- | src/resolve/resolved.c | 10 |
2 files changed, 10 insertions, 3 deletions
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c index ec181fad32..74f4ad5dba 100644 --- a/src/resolve/resolved-manager.c +++ b/src/resolve/resolved-manager.c @@ -34,6 +34,7 @@ #include "socket-util.h" #include "af-list.h" #include "utf8.h" +#include "fileio-label.h" #include "resolved-dns-domain.h" #include "resolved-conf.h" @@ -821,7 +822,7 @@ int manager_write_resolv_conf(Manager *m) { } } - r = fopen_temporary(path, &f, &temp_path); + r = fopen_temporary_label(path, path, &f, &temp_path); if (r < 0) return r; diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c index 88c3bcc591..ef416e5cae 100644 --- a/src/resolve/resolved.c +++ b/src/resolve/resolved.c @@ -38,14 +38,20 @@ int main(int argc, char *argv[]) { log_parse_environment(); log_open(); - umask(0022); - if (argc != 1) { log_error("This program takes no arguments."); r = -EINVAL; goto finish; } + umask(0022); + + r = label_init(NULL); + if (r < 0) { + log_error("SELinux setup failed: %s", strerror(-r)); + goto finish; + } + r = get_user_creds(&user, &uid, &gid, NULL, NULL); if (r < 0) { log_error("Cannot resolve user name %s: %s", user, strerror(-r)); |