From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 23 Sep 2022 17:00:22 +0000 (+0200)
Subject: core: respect SELinuxContext= for socket creation
X-Git-Tag: v252-rc1~95
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=599b384924bbef9f8f7fa5700c6fa35a404d9a98;p=thirdparty%2Fsystemd.git

core: respect SELinuxContext= for socket creation

On socket creation respect the SELinuxContext= setting of the associated
service, such that the initial created socket has the same label as the
future process accepting the connection (since w.r.t SELinux sockets
normally have the same label as the owning process).

Triggered by #24702
---

diff --git a/src/core/socket.c b/src/core/socket.c
index de8634481b1..308f84898ca 100644
--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -1421,6 +1421,7 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
 
                 Unit *service;
                 ExecCommand *c;
+                const char *exec_context;
                 _cleanup_free_ char *path = NULL;
 
                 r = socket_load_service_unit(s, -1, &service);
@@ -1429,6 +1430,18 @@ static int socket_determine_selinux_label(Socket *s, char **ret) {
                 if (r < 0)
                         return r;
 
+                exec_context = SERVICE(service)->exec_context.selinux_context;
+                if (exec_context) {
+                        char *con;
+
+                        con = strdup(exec_context);
+                        if (!con)
+                                return -ENOMEM;
+
+                        *ret = TAKE_PTR(con);
+                        return 0;
+                }
+
                 c = SERVICE(service)->exec_command[SERVICE_EXEC_START];
                 if (!c)
                         goto no_label;