From: Michal Sekletar <msekleta@redhat.com>
Date: Tue, 29 Jun 2021 15:10:27 +0000 (+0200)
Subject: selinux: support infering SELinux label also from socket not connected to stdin
X-Git-Tag: v249~30
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=49590d67c9de85b651cac9645f090135e56d3074;p=thirdparty%2Fsystemd.git

selinux: support infering SELinux label also from socket not connected to stdin

Fixes #19918
---

diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
index b669e7d15d1..1600656fdbb 100644
--- a/man/systemd.socket.xml
+++ b/man/systemd.socket.xml
@@ -629,10 +629,12 @@
          resulting SELinux context originate from either the target
          binary that is effectively triggered by socket unit or from
          the value of the <varname>SELinuxContext=</varname> option.
-         This configuration option only affects sockets with
-         <varname>Accept=</varname> mode set to
-         <literal>yes</literal>. Also note that this option is useful
-         only when MLS/MCS SELinux policy is deployed. Defaults to
+         This configuration option applies only when activated service
+         is passed in single socket file descriptor, i.e. service
+         instances that have standard input connected to a socket or
+         services triggered by exactly one socket unit. Also note
+         that this option is useful only when MLS/MCS SELinux policy
+         is deployed. Defaults to
          <literal>false</literal>. </para></listitem>
       </varlistentry>
 
diff --git a/src/core/execute.c b/src/core/execute.c
index af24f9f7135..2a337b55a2a 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4345,11 +4345,22 @@ static int exec_child(
         }
 
 #if HAVE_SELINUX
-        if (needs_sandboxing && use_selinux && params->selinux_context_net && socket_fd >= 0) {
-                r = mac_selinux_get_child_mls_label(socket_fd, executable, context->selinux_context, &mac_selinux_context_net);
-                if (r < 0) {
-                        *exit_status = EXIT_SELINUX_CONTEXT;
-                        return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+        if (needs_sandboxing && use_selinux && params->selinux_context_net) {
+                int fd = -1;
+
+                if (socket_fd >= 0)
+                        fd = socket_fd;
+                else if (params->n_socket_fds == 1)
+                        /* If stdin is not connected to a socket but we are triggered by exactly one socket unit then we
+                         * use context from that fd to compute the label. */
+                        fd = params->fds[0];
+
+                if (fd >= 0) {
+                        r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
+                        if (r < 0) {
+                                *exit_status = EXIT_SELINUX_CONTEXT;
+                                return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
+                        }
                 }
         }
 #endif