|
 |
b725e7 |
From 0f1b17391dce51ce149cafecf5dfe7acc1dc32cb Mon Sep 17 00:00:00 2001
|
|
|
b725e7 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
b725e7 |
Date: Fri, 13 Feb 2015 17:57:35 +0100
|
|
|
b725e7 |
Subject: [PATCH 190/190] selinux: Delete existing user mapping on empty
|
|
|
b725e7 |
default
|
|
|
b725e7 |
MIME-Version: 1.0
|
|
|
b725e7 |
Content-Type: text/plain; charset=UTF-8
|
|
|
b725e7 |
Content-Transfer-Encoding: 8bit
|
|
|
b725e7 |
|
|
|
b725e7 |
https://fedorahosted.org/sssd/ticket/2587
|
|
|
b725e7 |
|
|
|
b725e7 |
The case of SELinux default user mapping being an empty string is valid,
|
|
|
b725e7 |
it should translate into "pick the default context on the target
|
|
|
b725e7 |
machine".
|
|
|
b725e7 |
|
|
|
b725e7 |
In case the context is empty, we need to delete the per-user mapping from
|
|
|
b725e7 |
the SELinux database to make sure the default is used.
|
|
|
b725e7 |
|
|
|
b725e7 |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
b725e7 |
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
|
|
b725e7 |
(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
|
|
|
b725e7 |
---
|
|
|
b725e7 |
src/providers/ipa/ipa_selinux.c | 14 ++++++++------
|
|
|
b725e7 |
src/providers/ipa/selinux_child.c | 10 +++++++++-
|
|
|
b725e7 |
2 files changed, 17 insertions(+), 7 deletions(-)
|
|
|
b725e7 |
|
|
|
b725e7 |
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
|
|
b725e7 |
index 133b679b6d518704ebb2bd901c64ac48170c9a0b..1172424cb3f6df06e6ecaa8914427f8f945a7251 100644
|
|
|
b725e7 |
--- a/src/providers/ipa/ipa_selinux.c
|
|
|
b725e7 |
+++ b/src/providers/ipa/ipa_selinux.c
|
|
|
b725e7 |
@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
|
|
|
b725e7 |
|
|
|
b725e7 |
/* If no maps match, we'll use the default SELinux user from the
|
|
|
b725e7 |
* config */
|
|
|
b725e7 |
- seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
|
|
|
b725e7 |
+ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
|
|
|
b725e7 |
if (seuser_mls_str == NULL) {
|
|
|
b725e7 |
ret = ENOMEM;
|
|
|
b725e7 |
goto done;
|
|
|
b725e7 |
@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
|
|
|
b725e7 |
return ENOMEM;
|
|
|
b725e7 |
}
|
|
|
b725e7 |
|
|
|
b725e7 |
- ret = sysdb_attrs_add_string(state->defaults,
|
|
|
b725e7 |
- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
|
|
|
b725e7 |
- default_user);
|
|
|
b725e7 |
- if (ret != EOK) {
|
|
|
b725e7 |
- return ret;
|
|
|
b725e7 |
+ if (default_user) {
|
|
|
b725e7 |
+ ret = sysdb_attrs_add_string(state->defaults,
|
|
|
b725e7 |
+ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
|
|
|
b725e7 |
+ default_user);
|
|
|
b725e7 |
+ if (ret != EOK) {
|
|
|
b725e7 |
+ return ret;
|
|
|
b725e7 |
+ }
|
|
|
b725e7 |
}
|
|
|
b725e7 |
|
|
|
b725e7 |
ret = sysdb_attrs_add_string(state->defaults,
|
|
|
b725e7 |
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
|
b725e7 |
index d4670389667607972dd6f072b5ddfda5973e082b..2f79dea109752de09af1105495e1ca8db1e80680 100644
|
|
|
b725e7 |
--- a/src/providers/ipa/selinux_child.c
|
|
|
b725e7 |
+++ b/src/providers/ipa/selinux_child.c
|
|
|
b725e7 |
@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
|
|
|
b725e7 |
* the directories are created with the expected permissions
|
|
|
b725e7 |
*/
|
|
|
b725e7 |
old_mask = umask(0);
|
|
|
b725e7 |
- ret = set_seuser(login_name, seuser_name, mls);
|
|
|
b725e7 |
+ if (strcmp(seuser_name, "") == 0) {
|
|
|
b725e7 |
+ /* An empty SELinux user should cause SSSD to use the system
|
|
|
b725e7 |
+ * default. We need to remove the SELinux user from the DB
|
|
|
b725e7 |
+ * in that case
|
|
|
b725e7 |
+ */
|
|
|
b725e7 |
+ ret = del_seuser(login_name);
|
|
|
b725e7 |
+ } else {
|
|
|
b725e7 |
+ ret = set_seuser(login_name, seuser_name, mls);
|
|
|
b725e7 |
+ }
|
|
|
b725e7 |
umask(old_mask);
|
|
|
b725e7 |
return ret;
|
|
|
b725e7 |
}
|
|
|
b725e7 |
--
|
|
|
b725e7 |
2.1.0
|
|
|
b725e7 |
|