projects / platform / upstream / systemd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 906bdbf)
core/socket: support binary inside chroot when looking for SELinux label (#8405)
authorFilipe Brandenburger <filbranden@google.com>
Fri, 9 Mar 2018 11:20:56 +0000 (03:20 -0800)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Fri, 9 Mar 2018 11:20:56 +0000 (12:20 +0100)
Otherwise having a .socket unit start a .service running a binary under
a chroot fails as the unit is unable to determine the SELinux label of
the binary.

src/core/socket.c patch | blob | history

diff --git a/src/core/socket.c b/src/core/socket.c
index 4198878..b3c09f6 100644 (file)
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1439,7 +1439,9 @@ fail:
 }
 
 static int socket_determine_selinux_label(Socket *s, char **ret) {
+        Service *service;
         ExecCommand *c;
+        const char *path;
         int r;
 
         assert(s);
@@ -1461,11 +1463,13 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
                 if (!UNIT_ISSET(s->service))
                         goto no_label;
 
-                c = SERVICE(UNIT_DEREF(s->service))->exec_command[SERVICE_EXEC_START];
+                service = SERVICE(UNIT_DEREF(s->service));
+                c = service->exec_command[SERVICE_EXEC_START];
                 if (!c)
                         goto no_label;
 
-                r = mac_selinux_get_create_label_from_exe(c->path, ret);
+                path = prefix_roota(service->exec_context.root_directory, c->path);
+                r = mac_selinux_get_create_label_from_exe(path, ret);
                 if (IN_SET(r, -EPERM, -EOPNOTSUPP))
                         goto no_label;
         }
Domain: System / System Framework;