Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file.
Signed-off-by: HATAYAMA Daisuke <d.hatay...@jp.fujitsu.com> --- src/core/selinux-access.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index decd42f..36bdbcc 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units, int r; STRV_FOREACH(i, units) { - u = manager_get_unit(m, *i); + r = manager_load_unit(m, *i, NULL, error, &u); + if (r < 0) + return r; if (u) { + if (u->load_state == UNIT_NOT_FOUND) + return -ENOENT; r = mac_selinux_unit_access_check(u, message, permission, error); if (r < 0) return r; -- 2.1.0 _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel