From: Topi Miettinen <toiwoton@gmail.com>
Date: Thu, 11 Nov 2021 22:33:01 +0000 (+0200)
Subject: execute: always log a warning when setting SELinux context fails
X-Git-Tag: v250-rc1~292
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=006d1864fb7f7a880e8bb22ad7547a3c2fcb1db8;p=thirdparty%2Fsystemd.git

execute: always log a warning when setting SELinux context fails

Update also manual page to explain how the transition can still fail.
---

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index ecfaef3dfa1..aea7116e297 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -730,10 +730,13 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
 
         <listitem><para>Set the SELinux security context of the executed process. If set, this will override the
         automated domain transition. However, the policy still needs to authorize the transition. This directive is
-        ignored if SELinux is disabled. If prefixed by <literal>-</literal>, all errors will be ignored. This does not
-        affect commands prefixed with <literal>+</literal>.  See <citerefentry
-        project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry> for
-        details.</para></listitem>
+        ignored if SELinux is disabled. If prefixed by <literal>-</literal>, failing to set the SELinux
+        security context will be ignored, but it's still possible that the subsequent
+        <function>execve()</function> may fail if the policy doesn't allow the transition for the
+        non-overridden context. This does not affect commands prefixed with <literal>+</literal>.  See
+        <citerefentry
+        project='die-net'><refentrytitle>setexeccon</refentrytitle><manvolnum>3</manvolnum></citerefentry>
+        for details.</para></listitem>
       </varlistentry>
 
       <varlistentry>
diff --git a/src/core/execute.c b/src/core/execute.c
index 6f19f5024e3..4a57e407792 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4579,9 +4579,12 @@ static int exec_child(
 
                 if (fd >= 0) {
                         r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
-                        if (r < 0 && !context->selinux_context_ignore) {
-                                *exit_status = EXIT_SELINUX_CONTEXT;
-                                return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+                        if (r < 0) {
+                                if (!context->selinux_context_ignore) {
+                                        *exit_status = EXIT_SELINUX_CONTEXT;
+                                        return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+                                }
+                                log_unit_debug_errno(unit, r, "Failed to determine SELinux context, ignoring: %m");
                         }
                 }
         }
@@ -4713,9 +4716,12 @@ static int exec_child(
 
                         if (exec_context) {
                                 r = setexeccon(exec_context);
-                                if (r < 0 && !context->selinux_context_ignore) {
-                                        *exit_status = EXIT_SELINUX_CONTEXT;
-                                        return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
+                                if (r < 0) {
+                                        if (!context->selinux_context_ignore) {
+                                                *exit_status = EXIT_SELINUX_CONTEXT;
+                                                return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
+                                        }
+                                        log_unit_debug_errno(unit, r, "Failed to change SELinux context to %s, ignoring: %m", exec_context);
                                 }
                         }
                 }