core: fix selinux check for reload

Fixes:
-bash-4.3# echo 1 >/sys/fs/selinux/enforce
-bash-4.3# runcon -t systemd_test_start_t systemctl start hola

-bash-4.3# sesearch --allow -s systemd_test_reload_t -c service
Found 1 semantic av rules:
   allow systemd_test_reload_t systemd_unit_file_t : service reload ;

-bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola
Failed to reload hola.service: Access denied
See system logs and 'systemctl status hola.service' for details.

-bash-4.3# journalctl -b | grep -i user_avc | grep reload
USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
msg='
avc:  denied  { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola"
scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023
tcontext=system_u:object_r:systemd_unit_file_t:s0
tclass=service

See
https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation

diff --git a/src/core/dbus-unit.c b/src/core/dbus-unit.c
index 386ea96d1beba501ef4d950e7b4b80f39e14e385..9862f6e6f63d35b03f005fd732a89c967963e4bb 100644 (file)
--- a/src/core/dbus-unit.c
+++ b/src/core/dbus-unit.c
@@ -458,7 +458,10 @@ int bus_unit_method_start_generic(
         assert(u);
         assert(job_type >= 0 && job_type < _JOB_TYPE_MAX);
 
-        r = mac_selinux_unit_access_check(u, message, job_type == JOB_STOP ? "stop" : "start", error);
+        r = mac_selinux_unit_access_check(
+                        u, message,
+                        (job_type == JOB_START || job_type == JOB_RESTART || job_type == JOB_TRY_RESTART) ? "start" :
+                        job_type == JOB_STOP ? "stop" : "reload", error);
         if (r < 0)
                 return r;