This reverts commit
6355e75610a8d47fc3ba5ab8bd442172a2cfe574.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif
-bool mac_selinux_have(void) {
+bool mac_selinux_use(void) {
#ifdef HAVE_SELINUX
if (cached_use < 0)
cached_use = is_selinux_enabled() > 0;
#endif
}
-bool mac_selinux_use(void) {
- if (!mac_selinux_have())
- return false;
-
- /* Never try to configure SELinux features if we aren't
- * root */
-
- return getuid() == 0;
-}
-
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
assert(exe);
assert(label);
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
assert(label);
#ifdef HAVE_SELINUX
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(label);
assert(exe);
assert(label);
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
if (!label)
return NULL;
- if (!mac_selinux_have())
+ if (!mac_selinux_use())
return NULL;
#include "macro.h"
bool mac_selinux_use(void);
-bool mac_selinux_have(void);
void mac_selinux_retest(void);
int mac_selinux_init(void);
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");
}
#ifdef HAVE_SELINUX
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
if (label) {
x = alloca(strlen("_SELINUX_CONTEXT=") + label_len + 1);
if (r < 0)
return log_error_errno(r, "Failed to determine peer credentials: %m");
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
r = getpeersec(fd, &stream->label);
if (r < 0 && r != -EOPNOTSUPP)
(void) log_warning_errno(r, "Failed to determine peer security context: %m");
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
- if (mac_selinux_have()) {
+ if (mac_selinux_use()) {
r = getpeersec(b->input_fd, &b->label);
if (r < 0 && r != -EOPNOTSUPP)
log_debug_errno(r, "Failed to determine peer security context: %m");
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
- return mac_selinux_have();
+ return mac_selinux_use();
if (streq(c->parameter, "smack"))
return mac_smack_use();
if (streq(c->parameter, "apparmor"))
condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
assert_se(condition);
- assert_se(condition_test(condition) != mac_selinux_have());
+ assert_se(condition_test(condition) != mac_selinux_use());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "ima", false, false);
b = mac_selinux_use();
log_info("mac_selinux_use → %s", yes_no(b));
- b = mac_selinux_have();
- log_info("mac_selinux_have → %s", yes_no(b));
+ b = mac_selinux_use();
+ log_info("mac_selinux_use → %s", yes_no(b));
mac_selinux_retest();
b = mac_selinux_use();
log_info("mac_selinux_use → %s", yes_no(b));
- b = mac_selinux_have();
- log_info("mac_selinux_have → %s", yes_no(b));
+ b = mac_selinux_use();
+ log_info("mac_selinux_use → %s", yes_no(b));
}
static void test_loading(void) {