From: Topi Miettinen <toiwoton@gmail.com>
Date: Sat, 30 Oct 2021 16:58:41 +0000 (+0300)
Subject: execute: respect selinux_context_ignore
X-Git-Tag: v250-rc1~378
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2ad2925de5f258d128ec8cdb07f10f3c52fa4fcf;p=thirdparty%2Fsystemd.git

execute: respect selinux_context_ignore

When `SELinuxContext=` parameter is prefixed with `-`, the documentation states
that any errors determining or changing context should be ignored, but this
doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`.

Fix by adding checks to `context->selinux_context_ignore`.

Closes: #21057
---

diff --git a/src/core/execute.c b/src/core/execute.c
index d5882999f69..52a4daf0cb6 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4566,7 +4566,7 @@ static int exec_child(
 
                 if (fd >= 0) {
                         r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
-                        if (r < 0) {
+                        if (r < 0 && !context->selinux_context_ignore) {
                                 *exit_status = EXIT_SELINUX_CONTEXT;
                                 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
                         }
@@ -4700,7 +4700,7 @@ static int exec_child(
 
                         if (exec_context) {
                                 r = setexeccon(exec_context);
-                                if (r < 0) {
+                                if (r < 0 && !context->selinux_context_ignore) {
                                         *exit_status = EXIT_SELINUX_CONTEXT;
                                         return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
                                 }