From 40dac78bce81ebf65ccbcd4f346de9e91d3da58b Mon Sep 17 00:00:00 2001

From: Michal Zidek <mzidek@redhat.com>

Date: Wed, 24 Sep 2014 15:50:04 +0200

Subject: [PATCH 01/22] util: Move semanage related functions to src/util

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

These functions will be reused by IPA provider.

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

---

 Makefile.am                                  |  37 ++-

 src/tests/dlopen-tests.c                     |   1 +

 src/tools/selinux.c                          | 334 ---------------------------

 src/tools/tools_util.h                       |   2 -

 src/{tools/selinux.c => util/sss_semanage.c} |  61 +----

 src/util/util.h                              |   4 +

 6 files changed, 35 insertions(+), 404 deletions(-)

 copy src/{tools/selinux.c => util/sss_semanage.c} (87%)

diff --git a/Makefile.am b/Makefile.am

index 6a8124b5ad30f9e54a0325dc574a96c91ec4e805..49acdb107cb45410493dfabe30a2ea4553a23669 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -476,10 +476,6 @@ if BUILD_SELINUX

     PYTHON_BINDINGS_LIBS += $(SELINUX_LIBS)

     TOOLS_LIBS += $(SELINUX_LIBS)

 endif

-if BUILD_SEMANAGE

-    PYTHON_BINDINGS_LIBS += $(SEMANAGE_LIBS)

-    TOOLS_LIBS += $(SEMANAGE_LIBS)

-endif

 dist_noinst_HEADERS = \

     src/monitor/monitor.h \

@@ -728,11 +724,26 @@ libsss_util_la_SOURCES += \

 endif

 libsss_util_la_LDFLAGS = -avoid-version

+pkglib_LTLIBRARIES += libsss_semanage.la

+libsss_semanage_la_SOURCES = \

+    src/util/sss_semanage.c \

+    $(NULL)

+libsss_semanage_la_LIBADD = \

+    libsss_debug.la \

+    $(NULL)

+if BUILD_SEMANAGE

+libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)

+endif

+

+libsss_semanage_la_LDFLAGS = \

+    -avoid-version

+

 SSSD_INTERNAL_LTLIBS = \

     libsss_util.la \

     libsss_crypt.la \

     libsss_debug.la \

-    libsss_child.la

+    libsss_child.la \

+    $(NULL)

 if BUILD_IFP

 if BUILD_CONFIG_LIB

@@ -1065,7 +1076,9 @@ sss_useradd_SOURCES = \

     $(SSSD_TOOLS_OBJ)

 sss_useradd_LDADD = \

     $(TOOLS_LIBS) \

-    $(SSSD_INTERNAL_LTLIBS)

+    $(SSSD_INTERNAL_LTLIBS) \

+    libsss_semanage.la \

+    $(NULL)

 sss_userdel_SOURCES = \

     src/tools/sss_userdel.c \

@@ -1073,7 +1086,9 @@ sss_userdel_SOURCES = \

 sss_userdel_LDADD = \

     $(TOOLS_LIBS) \

     $(SSSD_INTERNAL_LTLIBS) \

-    $(CLIENT_LIBS)

+    $(CLIENT_LIBS) \

+    libsss_semanage.la \

+    $(NULL)

 sss_userdel_CFLAGS = \

     $(AM_CFLAGS)

@@ -1099,7 +1114,9 @@ sss_usermod_SOURCES = \

 sss_usermod_LDADD = \

     $(TOOLS_LIBS) \

     $(SSSD_INTERNAL_LTLIBS) \

-    $(CLIENT_LIBS)

+    $(CLIENT_LIBS) \

+    libsss_semanage.la \

+    $(NULL)

 sss_usermod_CFLAGS = $(AM_CFLAGS)

 sss_groupmod_SOURCES = \

@@ -2372,7 +2389,9 @@ libsss_ipa_la_LIBADD = \

     libsss_ldap_common.la \

     libsss_krb5_common.la \

     libipa_hbac.la \

-    libsss_idmap.la

+    libsss_idmap.la \

+    libsss_semanage.la \

+    $(NULL)

 libsss_ipa_la_LDFLAGS = \

     -avoid-version \

     -module

diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c

index 1dd80c49cf3e91e214ac6ffb2df1f98268571831..7e56d652461155045023fddeb988f4f4ba017277 100644

--- a/src/tests/dlopen-tests.c

+++ b/src/tests/dlopen-tests.c

@@ -38,6 +38,7 @@ struct so {

     const char *libs[6];

 } so[] = {

     { "libsss_debug.so", { LIBPFX"libsss_debug.so", NULL } },

+    { "libsss_semanage.so", { LIBPFX"libsss_semanage.so", NULL } },

     { "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } },

     { "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } },

     { "libsss_nss_idmap.so", { LIBPFX"libsss_nss_idmap.so", NULL } },

diff --git a/src/tools/selinux.c b/src/tools/selinux.c

index 1f87d40f99440b15ed71be9c225003b2860c5003..5e9c458f93340fcb4264eced7964a6cfecadc9e6 100644

--- a/src/tools/selinux.c

+++ b/src/tools/selinux.c

@@ -27,16 +27,8 @@

 #include <selinux/selinux.h>

 #endif

-#ifdef HAVE_SEMANAGE

-#include <semanage/semanage.h>

-#endif

-

 #include "tools/tools_util.h"

-#ifndef DEFAULT_SERANGE

-#define DEFAULT_SERANGE "s0"

-#endif

-

 #ifdef HAVE_SELINUX

 /*

  * selinux_file_context - Set the security context before any file or

@@ -89,329 +81,3 @@ int reset_selinux_file_context(void)

     return EOK;

 }

 #endif  /* HAVE_SELINUX */

-

-#ifdef HAVE_SEMANAGE

-/* turn libselinux messages into SSSD DEBUG() calls */

-static void sss_semanage_error_callback(void *varg,

-                                        semanage_handle_t *handle,

-                                        const char *fmt, ...)

-{

-    int level = SSSDBG_INVALID;

-    int ret;

-    char * message = NULL;

-    va_list ap;

-

-    switch (semanage_msg_get_level(handle)) {

-        case SEMANAGE_MSG_ERR:

-            level = SSSDBG_CRIT_FAILURE;

-            break;

-        case SEMANAGE_MSG_WARN:

-            level = SSSDBG_MINOR_FAILURE;

-            break;

-        case SEMANAGE_MSG_INFO:

-            level = SSSDBG_TRACE_FUNC;

-            break;

-    }

-

-    va_start(ap, fmt);

-    ret = vasprintf(&message, fmt, ap);

-    va_end(ap);

-    if (ret < 0) {

-        /* ENOMEM */

-        return;

-    }

-

-    if (DEBUG_IS_SET(level))

-        debug_fn(__FILE__, __LINE__, "libsemanage", level, "%s\n", message);

-    free(message);

-}

-

-static semanage_handle_t *sss_semanage_init(void)

-{

-    int ret;

-    semanage_handle_t *handle = NULL;

-

-    handle = semanage_handle_create();

-    if (!handle) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");

-        return NULL;

-    }

-

-    semanage_msg_set_callback(handle,

-                              sss_semanage_error_callback,

-                              NULL);

-

-    ret = semanage_is_managed(handle);

-    if (ret != 1) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");

-        goto fail;

-    }

-

-    ret = semanage_access_check(handle);

-    if (ret < SEMANAGE_CAN_READ) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");

-        goto fail;

-    }

-

-    ret = semanage_connect(handle);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Cannot estabilish SELinux management connection\n");

-        goto fail;

-    }

-

-    ret = semanage_begin_transaction(handle);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");

-        goto fail;

-    }

-

-    return handle;

-fail:

-    semanage_handle_destroy(handle);

-    return NULL;

-}

-

-static int sss_semanage_user_add(semanage_handle_t *handle,

-                                 semanage_seuser_key_t *key,

-                                 const char *login_name,

-                                 const char *seuser_name)

-{

-    int ret;

-    semanage_seuser_t *seuser = NULL;

-

-    ret = semanage_seuser_create(handle, &seuser);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Cannot create SELinux login mapping for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_set_name(handle, seuser, login_name);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not set serange for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_set_sename(handle, seuser, seuser_name);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not set SELinux user for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_modify_local(handle, key, seuser);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not add login mapping for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = EOK;

-done:

-    semanage_seuser_free(seuser);

-    return ret;

-}

-

-static int sss_semanage_user_mod(semanage_handle_t *handle,

-                                 semanage_seuser_key_t *key,

-                                 const char *login_name,

-                                 const char *seuser_name)

-{

-    int ret;

-    semanage_seuser_t *seuser = NULL;

-

-    semanage_seuser_query(handle, key, &seuser);

-    if (seuser == NULL) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not query seuser for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not set serange for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_set_sename(handle, seuser, seuser_name);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_modify_local(handle, key, seuser);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              ("Could not modify login mapping for %s\n"), login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = EOK;

-done:

-    semanage_seuser_free(seuser);

-    return ret;

-}

-

-int set_seuser(const char *login_name, const char *seuser_name)

-{

-    semanage_handle_t *handle = NULL;

-    semanage_seuser_key_t *key = NULL;

-    int ret;

-    int seuser_exists = 0;

-

-    if (seuser_name == NULL) {

-        /* don't care, just let system pick the defaults */

-        return EOK;

-    }

-

-    handle = sss_semanage_init();

-    if (!handle) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_key_create(handle, login_name, &key);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_exists(handle, key, &seuser_exists);

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");

-        ret = EIO;

-        goto done;

-    }

-

-    if (seuser_exists) {

-        ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);

-        if (ret != 0) {

-            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");

-            ret = EIO;

-            goto done;

-        }

-    } else {

-        ret = sss_semanage_user_add(handle, key, login_name, seuser_name);

-        if (ret != 0) {

-            DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");

-            ret = EIO;

-            goto done;

-        }

-    }

-

-    ret = semanage_commit(handle);

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = EOK;

-done:

-    semanage_seuser_key_free(key);

-    semanage_handle_destroy(handle);

-    return ret;

-}

-

-int del_seuser(const char *login_name)

-{

-    semanage_handle_t *handle = NULL;

-    semanage_seuser_key_t *key = NULL;

-    int ret;

-    int exists = 0;

-

-    handle = sss_semanage_init();

-    if (!handle) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_key_create(handle, login_name, &key);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_exists(handle, key, &exists;;

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");

-        ret = EIO;

-        goto done;

-    }

-

-    if (!exists) {

-        DEBUG(SSSDBG_FUNC_DATA,

-              "Login mapping for %s is not defined, OK if default mapping "

-                  "was used\n", login_name);

-        ret = EOK;  /* probably default mapping */

-        goto done;

-    }

-

-    ret = semanage_seuser_exists_local(handle, key, &exists;;

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");

-        ret = EIO;

-        goto done;

-    }

-

-    if (!exists) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, "

-                  "cannot be deleted", login_name);

-        ret = ENOENT;

-        goto done;

-    }

-

-    ret = semanage_seuser_del_local(handle, key);

-    if (ret != 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE,

-              "Could not delete login mapping for %s", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_commit(handle);

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");

-        ret = EIO;

-        goto done;

-    }

-

-    ret = EOK;

-done:

-    semanage_handle_destroy(handle);

-    return ret;

-}

-

-#else /* HAVE_SEMANAGE */

-int set_seuser(const char *login_name, const char *seuser_name)

-{

-    return EOK;

-}

-

-int del_seuser(const char *login_name)

-{

-    return EOK;

-}

-#endif  /* HAVE_SEMANAGE */

diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h

index 87fe752eac49ef85d77043fe0a8c459bc4f5a74c..c5990b012892a25b315d744a056861e7b2130410 100644

--- a/src/tools/tools_util.h

+++ b/src/tools/tools_util.h

@@ -123,7 +123,5 @@ int copy_tree(const char *src_root, const char *dst_root,

 /* from selinux.c */

 int selinux_file_context(const char *dst_name);

 int reset_selinux_file_context(void);

-int set_seuser(const char *login_name, const char *seuser_name);

-int del_seuser(const char *login_name);

 #endif  /* __TOOLS_UTIL_H__ */

diff --git a/src/tools/selinux.c b/src/util/sss_semanage.c

similarity index 87%

copy from src/tools/selinux.c

copy to src/util/sss_semanage.c

index 1f87d40f99440b15ed71be9c225003b2860c5003..dbef3b3437f9ac51021f30b510b9c15cd34e297a 100644

--- a/src/tools/selinux.c

+++ b/src/util/sss_semanage.c

@@ -1,7 +1,7 @@

 /*

    SSSD

-   selinux.c

+   sss_semanage.c

    Copyright (C) Jakub Hrozek <jhrozek@redhat.com>        2010

@@ -23,73 +23,16 @@

 #include <stdio.h>

-#ifdef HAVE_SELINUX

-#include <selinux/selinux.h>

-#endif

-

 #ifdef HAVE_SEMANAGE

 #include <semanage/semanage.h>

 #endif

-#include "tools/tools_util.h"

+#include "util/util.h"

 #ifndef DEFAULT_SERANGE

 #define DEFAULT_SERANGE "s0"

 #endif

-#ifdef HAVE_SELINUX

-/*

- * selinux_file_context - Set the security context before any file or

- *                        directory creation.

- *

- *  selinux_file_context () should be called before any creation of file,

- *  symlink, directory, ...

- *

- *  Callers may have to Reset SELinux to create files with default

- *  contexts:

- *      reset_selinux_file_context();

- */

-int selinux_file_context(const char *dst_name)

-{

-    security_context_t scontext = NULL;

-

-    if (is_selinux_enabled() == 1) {

-        /* Get the default security context for this file */

-        if (matchpathcon(dst_name, 0, &scontext) < 0) {

-            if (security_getenforce () != 0) {

-                return 1;

-            }

-        }

-        /* Set the security context for the next created file */

-        if (setfscreatecon(scontext) < 0) {

-            if (security_getenforce() != 0) {

-                return 1;

-            }

-        }

-        freecon(scontext);

-    }

-

-    return 0;

-}

-

-int reset_selinux_file_context(void)

-{

-    setfscreatecon(NULL);

-    return EOK;

-}

-

-#else   /* HAVE_SELINUX */

-int selinux_file_context(const char *dst_name)

-{

-    return EOK;

-}

-

-int reset_selinux_file_context(void)

-{

-    return EOK;

-}

-#endif  /* HAVE_SELINUX */

-

 #ifdef HAVE_SEMANAGE

 /* turn libselinux messages into SSSD DEBUG() calls */

 static void sss_semanage_error_callback(void *varg,

diff --git a/src/util/util.h b/src/util/util.h

index 0ac9b0104ca941b52bb37720dd16d2bbc9fbb9f8..b43ce6f5092e9920609826bead483976fef2f9b1 100644

--- a/src/util/util.h

+++ b/src/util/util.h

@@ -591,4 +591,8 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,

                      struct sss_creds **saved_creds);

 errno_t restore_creds(struct sss_creds *saved_creds);

+/* from sss_semanage.c */

+int set_seuser(const char *login_name, const char *seuser_name);

+int del_seuser(const char *login_name);

+

 #endif /* __SSSD_UTIL_H__ */

-- 

1.9.3