selinux: drop mac_selinux_unit_access_check_strv()

It is not acceptable to load unit files during enable/disable operations
just to figure out the selinux labels. systemd implements lazy loading
for units, so the selinux hooks need to follow it.

This drops the mac_selinux_unit_access_check_strv() helper which
implements a non-acceptable policy check. If anyone cares for that
functionality, you really should pass a callback+userdata to the helpers
in src/shared/install.c which does policy checks on each touched file.

See #1050 on github for more.

diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c
index 5722e3c2bbf37798898d05a0be821197aa114bc9..0b365391ecd85407d14d4a30dbb605338f99e7df 100644 (file)
--- a/src/core/dbus-manager.c
+++ b/src/core/dbus-manager.c
@@ -1650,10 +1650,6 @@ static int method_enable_unit_files_generic(
         if (r < 0)
                 return r;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
-        if (r < 0)
-                return r;
-
         r = bus_verify_manage_unit_files_async(m, message, error);
         if (r < 0)
                 return r;
@@ -1723,10 +1719,6 @@ static int method_preset_unit_files_with_mode(sd_bus_message *message, void *use
                         return -EINVAL;
         }
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
-        if (r < 0)
-                return r;
-
         r = bus_verify_manage_unit_files_async(m, message, error);
         if (r < 0)
                 return r;
@@ -1766,10 +1758,6 @@ static int method_disable_unit_files_generic(
         if (r < 0)
                 return r;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
-        if (r < 0)
-                return r;
-
         scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
 
         r = bus_verify_manage_unit_files_async(m, message, error);
@@ -1902,10 +1890,6 @@ static int method_add_dependency_unit_files(sd_bus_message *message, void *userd
         if (dep < 0)
                 return -EINVAL;
 
-        r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
-        if (r < 0)
-                return r;
-
         scope = m->running_as == MANAGER_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
 
         r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes);

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 2ecfa409742cd884b395ee3ce8006ce2fe0ce222..f920c2e2cd825fecf081baf4937739e5aa3517a2 100644 (file)
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -289,30 +289,3 @@ finish:
         return 0;
 #endif
 }
-
-int mac_selinux_unit_access_check_strv(
-                char **units,
-                sd_bus_message *message,
-                Manager *m,
-                const char *permission,
-                sd_bus_error *error) {
-
-#ifdef HAVE_SELINUX
-        char **i;
-        Unit *u;
-        int r;
-
-        STRV_FOREACH(i, units) {
-                if (is_path(*i))
-                        r = manager_load_unit(m, NULL, *i, error, &u);
-                else
-                        r = manager_load_unit(m, *i, NULL, error, &u);
-                if (r < 0)
-                        return r;
-                r = mac_selinux_unit_access_check(u, message, permission, error);
-                if (r < 0)
-                        return r;
-        }
-#endif
-        return 0;
-}

diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h
index b5758e2e42ae1e6b0bacc8fedfba46edcdf0e1f3..e6b4dd7feee04ae29ec8ca5bb852386c615f227a 100644 (file)
--- a/src/core/selinux-access.h
+++ b/src/core/selinux-access.h
@@ -29,8 +29,6 @@ void mac_selinux_access_free(void);
 
 int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, const char *permission, sd_bus_error *error);
 
-int mac_selinux_unit_access_check_strv(char **units, sd_bus_message *message, Manager *m, const char *permission, sd_bus_error *error);
-
 #ifdef HAVE_SELINUX
 
 #define mac_selinux_access_check(message, permission, error) \