Add selinux_systemd_contexts_path

systemd has some internal contexts like generated systemd unit files that we want to allow it to check against processes trying to manage them.
2025-05-08 02:28:05 +00:00 · 2013-10-09 14:52:49 -04:00 · 2013-10-09 14:52:49 -04:00 · ce2a8848ad
commit ce2a8848ad
parent 7fe6036ca5
4 changed files with 12 additions and 1 deletions
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@ -521,6 +521,7 @@ extern const char *selinux_virtual_image_context_path(void);
 extern const char *selinux_lxc_contexts_path(void);
 extern const char *selinux_x_context_path(void);
 extern const char *selinux_sepgsql_context_path(void);
+extern const char *selinux_systemd_contexts_path(void);
 extern const char *selinux_contexts_path(void);
 extern const char *selinux_securetty_types_path(void);
 extern const char *selinux_booleans_subs_path(void);
--- a/libselinux/src/file_path_suffixes.h
+++ b/libselinux/src/file_path_suffixes.h
@ -23,6 +23,7 @@ S_(BINPOLICY, "/policy/policy")
    S_(VIRTUAL_DOMAIN, "/contexts/virtual_domain_context")
    S_(VIRTUAL_IMAGE, "/contexts/virtual_image_context")
    S_(LXC_CONTEXTS, "/contexts/lxc_contexts")
+    S_(SYSTEMD_CONTEXTS, "/contexts/systemd_contexts")
    S_(FILE_CONTEXT_SUBS, "/contexts/files/file_contexts.subs")
    S_(FILE_CONTEXT_SUBS_DIST, "/contexts/files/file_contexts.subs_dist")
    S_(SEPGSQL_CONTEXTS, "/contexts/sepgsql_contexts")
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@ -50,7 +50,8 @@
 #define FILE_CONTEXT_SUBS_DIST 25
 #define LXC_CONTEXTS      26
 #define BOOLEAN_SUBS      27
-#define NEL               28
+#define SYSTEMD_CONTEXTS  28
+#define NEL               29

 /* Part of one-time lazy init */
 static pthread_once_t once = PTHREAD_ONCE_INIT;
@ -467,6 +468,13 @@ const char *selinux_lxc_contexts_path(void)

 hidden_def(selinux_lxc_contexts_path)

+const char *selinux_systemd_contexts_path(void)
+{
+	return get_path(SYSTEMD_CONTEXTS);
+}
+
+hidden_def(selinux_systemd_contexts_path)
+
 const char * selinux_booleans_subs_path(void) {
 	return get_path(BOOLEAN_SUBS);
 }
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@ -82,6 +82,7 @@ hidden_proto(selinux_mkload_policy)
    hidden_proto(selinux_media_context_path)
    hidden_proto(selinux_x_context_path)
    hidden_proto(selinux_sepgsql_context_path)
+    hidden_proto(selinux_systemd_contexts_path)
    hidden_proto(selinux_path)
    hidden_proto(selinux_check_passwd_access)
    hidden_proto(selinux_check_securetty_context)