core: respect SELinuxContext= for socket creation

On socket creation respect the SELinuxContext= setting of the associated
service, such that the initial created socket has the same label as the
future process accepting the connection (since w.r.t SELinux sockets
normally have the same label as the owning process).

Triggered by #24702

diff --git a/src/core/socket.c b/src/core/socket.c
index de8634481b16fe59319479243f3bd3e394eaf6b4..308f84898caec1cfef3dcaa296ec51feb74214e8 100644 (file)
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1421,6 +1421,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
 
                 Unit *service;
                 ExecCommand *c;
+                const char *exec_context;
                 _cleanup_free_ char *path = NULL;
 
                 r = socket_load_service_unit(s, -1, &service);
@@ -1429,6 +1430,18 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
                 if (r < 0)
                         return r;
 
+                exec_context = SERVICE(service)->exec_context.selinux_context;
+                if (exec_context) {
+                        char *con;
+
+                        con = strdup(exec_context);
+                        if (!con)
+                                return -ENOMEM;
+
+                        *ret = TAKE_PTR(con);
+                        return 0;
+                }
+
                 c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
                 if (!c)
                         goto no_label;