]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/journal/journald-syslog.c
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6e41773) | patch
Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"
authorGary Tierney <gary.tierney@gmx.com>
Tue, 2 May 2017 16:42:19 +0000 (17:42 +0100)
committerGary Tierney <gary.tierney@gmx.com>
Fri, 12 May 2017 13:43:39 +0000 (14:43 +0100)
commit6d395665e5ce7b64f3de4c9550c0779843e6cc44
tree3b18a7a2ac745fac0393a23f2eab61479e64e855tree | snapshot
parent6e4177315f632e03afea43b6d99100bd434f3403commit | diff
Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"

This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574.

The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER.  In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID.  Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.

Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
src/basic/selinux-util.c diff | blob | blame | history
src/basic/selinux-util.h diff | blob | blame | history
src/journal/journald-native.c diff | blob | blame | history
src/journal/journald-server.c diff | blob | blame | history
src/journal/journald-stream.c diff | blob | blame | history
src/journal/journald-syslog.c diff | blob | blame | history
src/libsystemd/sd-bus/bus-socket.c diff | blob | blame | history
src/shared/condition.c diff | blob | blame | history
src/test/test-condition.c diff | blob | blame | history
src/test/test-selinux.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.