selinux: fix missing SELinux unit access check

Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file.
systemd · Jun 25, 2015 · 4938696 · 4938696
1 parent ff99498
commit 4938696
Showing 1 changed file with 6 additions and 6 deletions.
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
@@ -302,12 +302,12 @@ int mac_selinux_unit_access_check_strv(
         int r;
 
         STRV_FOREACH(i, units) {
-                u = manager_get_unit(m, *i);
-                if (u) {
-                        r = mac_selinux_unit_access_check(u, message, permission, error);
-                        if (r < 0)
-                                return r;
-                }
+                r = manager_load_unit(m, *i, NULL, error, &u);
+                if (r < 0)
+                        return r;
+                r = mac_selinux_unit_access_check(u, message, permission, error);
+                if (r < 0)
+                        return r;
         }
 #endif
         return 0;