summaryrefslogtreecommitdiffstats
path: root/src/resolve
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-10-14 04:27:43 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2014-10-14 04:37:13 +0200
commita5a807e63a50314e190e9166d8a453cd8dd258e3 (patch)
treed906ba643b17791f74fd4611a1eb679392e8a42e /src/resolve
parentresolved: split out writing of resolv.conf (diff)
downloadsystemd-a5a807e63a50314e190e9166d8a453cd8dd258e3.tar.xz
systemd-a5a807e63a50314e190e9166d8a453cd8dd258e3.zip
resolved: apply label to /run/systemd/resolve/resolv.conf
Under an SELinux system, we want the file that is created to have a proper context, different from the default for files in /run. This is so that the policy can give access to almost everyone to this file.
Diffstat (limited to 'src/resolve')
-rw-r--r--src/resolve/resolved-manager.c3
-rw-r--r--src/resolve/resolved.c10
2 files changed, 10 insertions, 3 deletions
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index ec181fad32..74f4ad5dba 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -34,6 +34,7 @@
#include "socket-util.h"
#include "af-list.h"
#include "utf8.h"
+#include "fileio-label.h"
#include "resolved-dns-domain.h"
#include "resolved-conf.h"
@@ -821,7 +822,7 @@ int manager_write_resolv_conf(Manager *m) {
}
}
- r = fopen_temporary(path, &f, &temp_path);
+ r = fopen_temporary_label(path, path, &f, &temp_path);
if (r < 0)
return r;
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 88c3bcc591..ef416e5cae 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -38,14 +38,20 @@ int main(int argc, char *argv[]) {
log_parse_environment();
log_open();
- umask(0022);
-
if (argc != 1) {
log_error("This program takes no arguments.");
r = -EINVAL;
goto finish;
}
+ umask(0022);
+
+ r = label_init(NULL);
+ if (r < 0) {
+ log_error("SELinux setup failed: %s", strerror(-r));
+ goto finish;
+ }
+
r = get_user_creds(&user, &uid, &gid, NULL, NULL);
if (r < 0) {
log_error("Cannot resolve user name %s: %s", user, strerror(-r));