From: Ivan Kruglov <mail@ikruglov.com>
Date: Thu, 3 Jul 2025 13:40:14 +0000 (-0700)
Subject: selinux: get_our_contexts()
X-Git-Tag: v258-rc1~106^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=84c05ec63228b93b1798788bed89e61743ffeaaa;p=thirdparty%2Fsystemd.git

selinux: get_our_contexts()
---

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 1a0f57d167c..b53730963ae 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -164,6 +164,39 @@ static int access_init(sd_bus_error *error) {
         return 1;
 }
 
+static int get_our_contexts(const Unit *unit, const char **ret_acon, const char **ret_tclass, char **ret_fcon) {
+        _cleanup_freecon_ char *fcon = NULL;
+
+        assert(ret_acon);
+        assert(ret_tclass);
+        assert(ret_fcon);
+
+        if (unit && unit->access_selinux_context) {
+                /* Nice! The unit comes with a SELinux context read from the unit file */
+                *ret_acon = unit->access_selinux_context;
+                *ret_tclass = "service";
+                *ret_fcon = NULL;
+                return 0;
+        }
+
+        /* If no unit context is known, use our own */
+
+        /* Ideally, we should call mac_selinux_get_our_label() here because it
+         * does exactly the same - call getcon_raw(). However, it involves
+         * selinux_init() which opens label DB. It was not part of the
+         * original code. I don't want to change it for now. */
+        if (getcon_raw(&fcon) < 0)
+                return log_debug_errno(errno, "SELinux getcon_raw() failed: %m");
+
+        if (!fcon)
+                return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "SELinux returned no context of the current process");
+
+        *ret_acon = fcon;
+        *ret_tclass = "system";
+        *ret_fcon = TAKE_PTR(fcon);
+        return 0;
+}
+
 /*
    This function communicates with the kernel to check whether or not it should
    allow the access.
@@ -216,30 +249,21 @@ int mac_selinux_access_check_bus_internal(
         if (r < 0)
                 return r;
 
-        if (unit && unit->access_selinux_context) {
-                /* Nice! The unit comes with a SELinux context read from the unit file */
-                acon = unit->access_selinux_context;
-                tclass = "service";
-        } else {
-                /* If no unit context is known, use our own */
-                if (getcon_raw(&fcon) < 0) {
-                        log_warning_errno(errno, "SELinux getcon_raw() failed%s (perm=%s): %m",
-                                          enforce ? "" : ", ignoring",
-                                          permission);
-                        if (!enforce)
-                                return 0;
-
-                        return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context: %m");
-                }
-                if (!fcon) {
-                        if (!enforce)
-                                return 0;
+        r = get_our_contexts(unit, &acon, &tclass, &fcon);
+        if (r < 0) {
+                log_selinux_enforcing_errno(
+                                r,
+                                "Failed to retrieves SELinux context of current process (perm=%s)%s: %m",
+                                permission,
+                                enforce ? "" : ", ignoring");
 
+                if (!enforce)
+                        return 0;
+
+                if (r == -EOPNOTSUPP)
                         return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "We appear not to have any SELinux context: %m");
-                }
 
-                acon = fcon;
-                tclass = "system";
+                return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context: %m");
         }
 
         (void) sd_bus_creds_get_cmdline(creds, &cmdline);