selinux: add mac_selinux_create_file_prepare_label helper

Allow to use setfscreatecon with a custom label rather than the default

diff --git a/src/shared/selinux-util.c b/src/shared/selinux-util.c
index 34e78e6792a9b786bd624aabce75a40c359d09f2..ca92a65efc517e8033e62ecc6389b4416324581c 100644 (file)
--- a/src/shared/selinux-util.c
+++ b/src/shared/selinux-util.c
@@ -562,6 +562,21 @@ int mac_selinux_create_file_prepare(const char *path, mode_t mode) {
 #endif
 }
 
+int mac_selinux_create_file_prepare_label(const char *path, const char *label) {
+#if HAVE_SELINUX
+
+        if (!label)
+                return 0;
+
+        if (!mac_selinux_use())
+                return 0;
+
+        if (setfscreatecon_raw(label) < 0)
+                return log_enforcing_errno(errno, "Failed to set specified SELinux security context '%s' for '%s': %m", label, strna(path));
+#endif
+        return 0;
+}
+
 void mac_selinux_create_file_clear(void) {
 
 #if HAVE_SELINUX

diff --git a/src/shared/selinux-util.h b/src/shared/selinux-util.h
index 1095bdef0eec09f32e4c7c9673a21a5a559a424d..4147a3ad506dcc51a7df3b71097b6de6ac686629 100644 (file)
--- a/src/shared/selinux-util.h
+++ b/src/shared/selinux-util.h
@@ -43,6 +43,7 @@ char* mac_selinux_free(char *label);
 
 int mac_selinux_create_file_prepare(const char *path, mode_t mode);
 int mac_selinux_create_file_prepare_at(int dirfd, const char *path, mode_t mode);
+int mac_selinux_create_file_prepare_label(const char *path, const char *label);
 void mac_selinux_create_file_clear(void);
 
 int mac_selinux_create_socket_prepare(const char *label);