From 599b384924bbef9f8f7fa5700c6fa35a404d9a98 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 23 Sep 2022 19:00:22 +0200 Subject: [PATCH] core: respect SELinuxContext= for socket creation On socket creation respect the SELinuxContext= setting of the associated service, such that the initial created socket has the same label as the future process accepting the connection (since w.r.t SELinux sockets normally have the same label as the owning process). Triggered by #24702 --- src/core/socket.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/core/socket.c b/src/core/socket.c index de8634481b1..308f84898ca 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1421,6 +1421,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { Unit *service; ExecCommand *c; + const char *exec_context; _cleanup_free_ char *path = NULL; r = socket_load_service_unit(s, -1, &service); @@ -1429,6 +1430,18 @@ static int socket_determine_selinux_label(Socket *s, char **ret) { if (r < 0) return r; + exec_context = SERVICE(service)->exec_context.selinux_context; + if (exec_context) { + char *con; + + con = strdup(exec_context); + if (!con) + return -ENOMEM; + + *ret = TAKE_PTR(con); + return 0; + } + c = SERVICE(service)->exec_command[SERVICE_EXEC_START]; if (!c) goto no_label; -- 2.47.3