|
 |
905b4d |
From 214c04af59ea09589743b88943a7ba0adac64a7a Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Michal Zidek <mzidek@redhat.com>
|
|
|
905b4d |
Date: Wed, 24 Sep 2014 16:03:04 +0200
|
|
|
905b4d |
Subject: [PATCH 02/22] sss_semanage: Add mlsrange parameter to set_seuser
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
mlsrange parameter will be needed in IPA provider
|
|
|
905b4d |
and probably at some point in the tools as well.
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
905b4d |
---
|
|
|
905b4d |
src/tools/sss_useradd.c | 2 +-
|
|
|
905b4d |
src/tools/sss_usermod.c | 2 +-
|
|
|
905b4d |
src/util/sss_semanage.c | 25 ++++++++++++++++---------
|
|
|
905b4d |
src/util/util.h | 3 ++-
|
|
|
905b4d |
4 files changed, 20 insertions(+), 12 deletions(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
|
|
|
905b4d |
index 59439401e225d752ea9a82fdb33900bf44699e18..8521b83011b42c9e2acca4136f154acb3919440c 100644
|
|
|
905b4d |
--- a/src/tools/sss_useradd.c
|
|
|
905b4d |
+++ b/src/tools/sss_useradd.c
|
|
|
905b4d |
@@ -205,7 +205,7 @@ int main(int argc, const char **argv)
|
|
|
905b4d |
|
|
|
905b4d |
/* Set SELinux login context - must be done after transaction is done
|
|
|
905b4d |
* b/c libselinux calls getpwnam */
|
|
|
905b4d |
- ret = set_seuser(tctx->octx->name, pc_selinux_user);
|
|
|
905b4d |
+ ret = set_seuser(tctx->octx->name, pc_selinux_user, NULL);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
ERROR("Cannot set SELinux login context\n");
|
|
|
905b4d |
ret = EXIT_FAILURE;
|
|
|
905b4d |
diff --git a/src/tools/sss_usermod.c b/src/tools/sss_usermod.c
|
|
|
905b4d |
index 9683c6e9e7c2bf389563515162a3772ee73987ed..55e94394766f5f46bb3c14c231186f2d79d6b6ab 100644
|
|
|
905b4d |
--- a/src/tools/sss_usermod.c
|
|
|
905b4d |
+++ b/src/tools/sss_usermod.c
|
|
|
905b4d |
@@ -300,7 +300,7 @@ int main(int argc, const char **argv)
|
|
|
905b4d |
|
|
|
905b4d |
/* Set SELinux login context - must be done after transaction is done
|
|
|
905b4d |
* b/c libselinux calls getpwnam */
|
|
|
905b4d |
- ret = set_seuser(tctx->octx->name, pc_selinux_user);
|
|
|
905b4d |
+ ret = set_seuser(tctx->octx->name, pc_selinux_user, NULL);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
ERROR("Cannot set SELinux login context\n");
|
|
|
905b4d |
ret = EXIT_FAILURE;
|
|
|
905b4d |
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
|
905b4d |
index dbef3b3437f9ac51021f30b510b9c15cd34e297a..3c566553f2085a696f79c5ee35ec6015824d56a6 100644
|
|
|
905b4d |
--- a/src/util/sss_semanage.c
|
|
|
905b4d |
+++ b/src/util/sss_semanage.c
|
|
|
905b4d |
@@ -22,7 +22,6 @@
|
|
|
905b4d |
#include "config.h"
|
|
|
905b4d |
|
|
|
905b4d |
#include <stdio.h>
|
|
|
905b4d |
-
|
|
|
905b4d |
#ifdef HAVE_SEMANAGE
|
|
|
905b4d |
#include <semanage/semanage.h>
|
|
|
905b4d |
#endif
|
|
|
905b4d |
@@ -118,7 +117,8 @@ fail:
|
|
|
905b4d |
static int sss_semanage_user_add(semanage_handle_t *handle,
|
|
|
905b4d |
semanage_seuser_key_t *key,
|
|
|
905b4d |
const char *login_name,
|
|
|
905b4d |
- const char *seuser_name)
|
|
|
905b4d |
+ const char *seuser_name,
|
|
|
905b4d |
+ const char *mls)
|
|
|
905b4d |
{
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
semanage_seuser_t *seuser = NULL;
|
|
|
905b4d |
@@ -138,7 +138,8 @@ static int sss_semanage_user_add(semanage_handle_t *handle,
|
|
|
905b4d |
goto done;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
|
|
|
905b4d |
+ ret = semanage_seuser_set_mlsrange(handle, seuser,
|
|
|
905b4d |
+ mls ? mls : DEFAULT_SERANGE);
|
|
|
905b4d |
if (ret != 0) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
"Could not set serange for %s\n", login_name);
|
|
|
905b4d |
@@ -171,7 +172,8 @@ done:
|
|
|
905b4d |
static int sss_semanage_user_mod(semanage_handle_t *handle,
|
|
|
905b4d |
semanage_seuser_key_t *key,
|
|
|
905b4d |
const char *login_name,
|
|
|
905b4d |
- const char *seuser_name)
|
|
|
905b4d |
+ const char *seuser_name,
|
|
|
905b4d |
+ const char *mls)
|
|
|
905b4d |
{
|
|
|
905b4d |
int ret;
|
|
|
905b4d |
semanage_seuser_t *seuser = NULL;
|
|
|
905b4d |
@@ -184,7 +186,8 @@ static int sss_semanage_user_mod(semanage_handle_t *handle,
|
|
|
905b4d |
goto done;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
- ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
|
|
|
905b4d |
+ ret = semanage_seuser_set_mlsrange(handle, seuser,
|
|
|
905b4d |
+ mls ? mls : DEFAULT_SERANGE);
|
|
|
905b4d |
if (ret != 0) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
905b4d |
"Could not set serange for %s\n", login_name);
|
|
|
905b4d |
@@ -213,7 +216,8 @@ done:
|
|
|
905b4d |
return ret;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
-int set_seuser(const char *login_name, const char *seuser_name)
|
|
|
905b4d |
+int set_seuser(const char *login_name, const char *seuser_name,
|
|
|
905b4d |
+ const char *mls)
|
|
|
905b4d |
{
|
|
|
905b4d |
semanage_handle_t *handle = NULL;
|
|
|
905b4d |
semanage_seuser_key_t *key = NULL;
|
|
|
905b4d |
@@ -247,14 +251,16 @@ int set_seuser(const char *login_name, const char *seuser_name)
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
if (seuser_exists) {
|
|
|
905b4d |
- ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
|
|
|
905b4d |
+ ret = sss_semanage_user_mod(handle, key, login_name, seuser_name,
|
|
|
905b4d |
+ mls);
|
|
|
905b4d |
if (ret != 0) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
|
|
|
905b4d |
ret = EIO;
|
|
|
905b4d |
goto done;
|
|
|
905b4d |
}
|
|
|
905b4d |
} else {
|
|
|
905b4d |
- ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
|
|
|
905b4d |
+ ret = sss_semanage_user_add(handle, key, login_name, seuser_name,
|
|
|
905b4d |
+ mls);
|
|
|
905b4d |
if (ret != 0) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
|
|
|
905b4d |
ret = EIO;
|
|
|
905b4d |
@@ -348,7 +354,8 @@ done:
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
#else /* HAVE_SEMANAGE */
|
|
|
905b4d |
-int set_seuser(const char *login_name, const char *seuser_name)
|
|
|
905b4d |
+int set_seuser(const char *login_name, const char *seuser_name,
|
|
|
905b4d |
+ const char *mls)
|
|
|
905b4d |
{
|
|
|
905b4d |
return EOK;
|
|
|
905b4d |
}
|
|
|
905b4d |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
905b4d |
index b43ce6f5092e9920609826bead483976fef2f9b1..0af4db3fec723ef372f7c1acde0e3f9f013f90e0 100644
|
|
|
905b4d |
--- a/src/util/util.h
|
|
|
905b4d |
+++ b/src/util/util.h
|
|
|
905b4d |
@@ -592,7 +592,8 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
errno_t restore_creds(struct sss_creds *saved_creds);
|
|
|
905b4d |
|
|
|
905b4d |
/* from sss_semanage.c */
|
|
|
905b4d |
-int set_seuser(const char *login_name, const char *seuser_name);
|
|
|
905b4d |
+int set_seuser(const char *login_name, const char *seuser_name,
|
|
|
905b4d |
+ const char *mlsrange);
|
|
|
905b4d |
int del_seuser(const char *login_name);
|
|
|
905b4d |
|
|
|
905b4d |
#endif /* __SSSD_UTIL_H__ */
|
|
|
905b4d |
--
|
|
|
905b4d |
1.9.3
|
|
|
905b4d |
|