execute: respect selinux_context_ignore

topimiettinen · yuwata · commit 2ad2925de5f2 · 2021-11-01T08:28:41.000+09:00
When `SELinuxContext=` parameter is prefixed with `-`, the documentation states that any errors determining or changing context should be ignored, but this doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`. Fix by adding checks to `context->selinux_context_ignore`. Closes: systemd#21057
diff --git a/src/core/execute.c b/src/core/execute.c
@@ -4566,7 +4566,7 @@ static int exec_child(
 
                 if (fd >= 0) {
                         r = mac_selinux_get_child_mls_label(fd, executable, context->selinux_context, &mac_selinux_context_net);
-                        if (r < 0) {
+                        if (r < 0 && !context->selinux_context_ignore) {
                                 *exit_status = EXIT_SELINUX_CONTEXT;
                                 return log_unit_error_errno(unit, r, "Failed to determine SELinux context: %m");
                         }
@@ -4700,7 +4700,7 @@ static int exec_child(
 
                         if (exec_context) {
                                 r = setexeccon(exec_context);
-                                if (r < 0) {
+                                if (r < 0 && !context->selinux_context_ignore) {
                                         *exit_status = EXIT_SELINUX_CONTEXT;
                                         return log_unit_error_errno(unit, r, "Failed to change SELinux context to %s: %m", exec_context);
                                 }
