core: set default process label only exec label is none

When command path has access label and no SmackProcessLabel= is not
set, default process label will be set. But if the default process
label has no rule for the access label of the command path then smack
access error will be occurred.
So, if the command path has execute label then the child have to set
its label to the same of execute label of command path instead of
default process label.

diff --git a/src/core/execute.c b/src/core/execute.c
index 21721dc240731e11b7e4f3eeaef64d9d538629b9..f14ae4d8a6d17fa2aa75d8ccb74d6ff72fddf06b 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1719,7 +1719,15 @@ static int exec_child(
                 }
 #ifdef SMACK_DEFAULT_PROCESS_LABEL
                 else {
-                        r = mac_smack_apply_pid(0, SMACK_DEFAULT_PROCESS_LABEL);
+                        _cleanup_free_ char *exec_label = NULL;
+
+                        r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label);
+                        if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) {
+                                *exit_status = EXIT_SMACK_PROCESS_LABEL;
+                                return r;
+                        }
+
+                        r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL);
                         if (r < 0) {
                                 *exit_status = EXIT_SMACK_PROCESS_LABEL;
                                 return r;