From 62f174cf1f0c8382b23c178b8ccf5bd353ff57e3 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 12 Jul 2022 16:23:02 +0200
Subject: [PATCH] selinux: include precise low-level error string in returned
 D-Bus errors

---
 src/core/selinux-access.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 878dea13f13..848ae246a7f 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -240,7 +240,7 @@ int mac_selinux_access_check_internal(
                         if (!enforce)
                                 return 0;
 
-                        return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context.");
+                        return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to get current context: %m");
                 }
 
                 acon = fcon;
@@ -259,10 +259,10 @@ int mac_selinux_access_check_internal(
 
         r = selinux_check_access(scon, acon, tclass, permission, &audit_info);
         if (r < 0) {
-                r = errno_or_else(EPERM);
+                errno = -(r = errno_or_else(EPERM));
 
                 if (enforce)
-                        sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access.");
+                        sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "SELinux policy denies access: %m");
         }
 
         log_full_errno_zerook(LOG_DEBUG, r,
-- 
2.47.3