network: selinux hook handling to enumerate nexthop

When selinux is enabled, the call of manager_rtnl_enumerate_nexthop() fails. This fix is to facilitate selinux hook handling for enumerating nexthop. In manager_rtnl_enumerate_nexthop() there is a check if "Not supported" is returned by the send_netlink() call. This check expects that -EOPNOTSUPP is returned, the selinux hook seems to return -EINVAL instead. This happens in kernel older than 5.3 (more specificallytorvalds/linux@65ee00a) as it does not support nexthop handling through netlink. And if SELinux is enforced in the order kernel, callingRTM_GETNEXTHOP returns -EINVAL. Thus adding a call in the manager_rtnl_enumerate_nexthop for the extra return -EINVAL.
Fix typo
2020-11-01 23:28:21 +09:00 · 2020-11-01 23:26:16 +09:00
2 changed files with 3 additions and 2 deletions
--- a/man/homectl.xml
+++ b/man/homectl.xml
@ -195,7 +195,7 @@
        <term><option>--realm=</option><replaceable>REALM</replaceable></term>

        <listitem><para>The realm for the user. The realm associates a user with a specific organization or
-        installation, and allows distuingishing users of the same name defined in different contexts. The
+        installation, and allows distinguishing users of the same name defined in different contexts. The
        realm can be any string that also qualifies as valid DNS domain name, and it is recommended to use
        the organization's or installation's domain name for this purpose, but this is not enforced nor
        required. On each system only a single user of the same name may exist, and if a user with the same
--- a/src/network/networkd-manager.c
+++ b/src/network/networkd-manager.c
@ -38,6 +38,7 @@
 #include "ordered-set.h"
 #include "path-lookup.h"
 #include "path-util.h"
+#include "selinux-util.h"
 #include "set.h"
 #include "signal-util.h"
 #include "stat-util.h"
@ -971,7 +972,7 @@ static int manager_enumerate_internal(

        r = sd_netlink_call(m->rtnl, req, 0, &reply);
        if (r < 0) {
-                if (r == -EOPNOTSUPP && name) {
+                if (name && (r == -EOPNOTSUPP || (r == -EINVAL && mac_selinux_enforcing()))) {
                        log_debug_errno(r, "%s are not supported by the kernel. Ignoring.", name);
                        return 0;
                }