network: selinux hook handling to enumerate nexthop

When selinux is enabled, the call of
manager_rtnl_enumerate_nexthop() fails.

This fix is to facilitate selinux hook handling for enumerating
nexthop.

In manager_rtnl_enumerate_nexthop() there is a check
if "Not supported" is returned by the send_netlink() call.

This check expects that -EOPNOTSUPP is returned,
the selinux hook seems to return -EINVAL instead.

This happens in kernel older than 5.3
(more specificallytorvalds/linux@65ee00a) as it does not support
nexthop handling through netlink.

And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP
returns -EINVAL.

Thus adding a call in the manager_rtnl_enumerate_nexthop for the
extra return -EINVAL.

diff --git a/src/network/networkd-manager.c b/src/network/networkd-manager.c
index b5aba1f1dc2f33c4d96fc5994d65e86daffbea31..ff00d8650920b8ded20e1f1a43c1f93892bb2e71 100644 (file)
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@@ -38,6 +38,7 @@
 #include "ordered-set.h"
 #include "path-lookup.h"
 #include "path-util.h"
+#include "selinux-util.h"
 #include "set.h"
 #include "signal-util.h"
 #include "stat-util.h"
@@ -971,7 +972,7 @@ static int manager_enumerate_internal(
 
         r = sd_netlink_call(m->rtnl, req, 0, &reply);
         if (r < 0) {
-                if (r == -EOPNOTSUPP && name) {
+                if (name && (r == -EOPNOTSUPP || (r == -EINVAL && mac_selinux_enforcing()))) {
                         log_debug_errno(r, "%s are not supported by the kernel. Ignoring.", name);
                         return 0;
                 }