dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From e08eb3e3b0586b331a688a4eded2d7f13611016c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 20 Oct 2014 23:16:40 +0200
Subject: [PATCH 71/71] IPA: Move setting the SELinux context to a child
 process
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 Makefile.am                       |  27 +++
 contrib/sssd.spec.in              |   1 +
 src/providers/ipa/ipa_selinux.c   | 425 +++++++++++++++++++++++++++++++++++---
 src/providers/ipa/selinux_child.c | 272 ++++++++++++++++++++++++
 src/util/util_errors.c            |   1 +
 src/util/util_errors.h            |   1 +
 6 files changed, 699 insertions(+), 28 deletions(-)
 create mode 100644 src/providers/ipa/selinux_child.c

diff --git a/Makefile.am b/Makefile.am
index ea296c40f89c552d5825cbce8e95afdc517e8bb5..b85341f5845c3cffab8a2c95b1be1d32517316e8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -146,6 +146,9 @@ endif
 if BUILD_SAMBA
 sssdlibexec_PROGRAMS += gpo_child
 endif
+if BUILD_SEMANAGE
+sssdlibexec_PROGRAMS += selinux_child
+endif
 
 
 if BUILD_PAC_RESPONDER
@@ -2531,6 +2534,26 @@ ldap_child_LDADD = \
     $(DHASH_LIBS) \
     $(KRB5_LIBS)
 
+if BUILD_SEMANAGE
+selinux_child_SOURCES = \
+    src/providers/ipa/selinux_child.c \
+    src/util/sss_semanage.c \
+    src/util/atomic_io.c \
+    src/util/util.c \
+    $(NULL)
+selinux_child_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(POPT_CFLAGS) \
+    $(NULL)
+selinux_child_LDADD = \
+    libsss_debug.la \
+    $(TALLOC_LIBS) \
+    $(POPT_LIBS) \
+    $(DHASH_LIBS) \
+    $(SEMANAGE_LIBS) \
+    $(NULL)
+endif
+
 gpo_child_SOURCES = \
     src/providers/ad/ad_gpo_child.c \
     src/util/atomic_io.c \
@@ -2849,6 +2872,10 @@ endif
 if SSSD_USER
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
 	chmod 4750 $(sssdlibexecdir)/ldap_child
+if BUILD_SEMANAGE
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child
+	chmod 4750 $(sssdlibexecdir)/selinux_child
+endif
 endif
 
 install-data-hook:
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index d2e6cec2610e4c00cb376683cf7e64eb5cdafc5c..5bfb16707c22dc65376581c88b8eb898949e726f 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -665,6 +665,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
 %{_libdir}/%{name}/libsss_ipa.so
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 7db1c6ed2981e4c4a85d892171bbfa60b006980e..b392d82a61cd523cd5e73e5246013bdbc448ddd5 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -24,6 +24,7 @@
 #include <security/pam_modules.h>
 
 #include "db/sysdb_selinux.h"
+#include "util/child_common.h"
 #include "util/sss_selinux.h"
 #include "providers/ldap/sdap_async.h"
 #include "providers/ipa/ipa_common.h"
@@ -37,8 +38,23 @@
 #include "providers/ipa/ipa_subdomains.h"
 
 #if defined HAVE_SELINUX && defined HAVE_SELINUX_LOGIN_DIR
+
+#ifndef SELINUX_CHILD_DIR
+#ifndef SSSD_LIBEXEC_PATH
+#error "SSSD_LIBEXEC_PATH not defined"
+#endif  /* SSSD_LIBEXEC_PATH */
+
+#define SELINUX_CHILD_DIR SSSD_LIBEXEC_PATH
+#endif /* SELINUX_CHILD_DIR */
+
+#define SELINUX_CHILD SELINUX_CHILD_DIR"/selinux_child"
+#define SELINUX_CHILD_LOG_FILE "selinux_child"
+
 #include <selinux/selinux.h>
 
+/* fd used by the selinux_child process for logging */
+int selinux_child_debug_fd = -1;
+
 static struct tevent_req *
 ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
                      struct be_ctx *be_ctx,
@@ -274,12 +290,27 @@ struct map_order_ctx {
 
 static errno_t init_map_order_ctx(TALLOC_CTX *mem_ctx, const char *map_order,
                                   struct map_order_ctx **_mo_ctx);
-static errno_t choose_best_seuser(struct sysdb_attrs **usermaps,
+
+struct selinux_child_input {
+    const char *seuser;
+    const char *mls_range;
+    const char *username;
+};
+
+static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
+                                  struct sysdb_attrs **usermaps,
                                   struct pam_data *pd,
                                   struct sss_domain_info *user_domain,
                                   struct map_order_ctx *mo_ctx,
-                                  const char *default_user);
+                                  const char *default_user,
+                                  struct selinux_child_input **_sci);
 
+static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
+                                             struct tevent_context *ev,
+                                             struct selinux_child_input *sci);
+static errno_t selinux_child_recv(struct tevent_req *req);
+
+static void ipa_selinux_child_done(struct tevent_req *child_req);
 
 static void ipa_selinux_handler_done(struct tevent_req *req)
 {
@@ -299,6 +330,8 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
     struct sysdb_attrs **hbac_rules = 0;
     struct sysdb_attrs **best_match_maps;
     struct map_order_ctx *map_order_ctx;
+    struct selinux_child_input *sci;
+    struct tevent_req *child_req;
 
     ret = ipa_get_selinux_recv(req, breq, &map_count, &maps,
                                &hbac_count, &hbac_rules,
@@ -360,14 +393,61 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
         goto fail;
     }
 
-    ret = choose_best_seuser(best_match_maps, pd, op_ctx->user_domain,
-                             map_order_ctx, default_user);
+    ret = choose_best_seuser(breq,
+                             best_match_maps, pd, op_ctx->user_domain,
+                             map_order_ctx, default_user, &sci);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE,
               "Failed to evaluate ordered SELinux users array.\n");
         goto fail;
     }
 
+    /* Update the SELinux context in a privileged child as the back end is
+     * running unprivileged
+     */
+    child_req = selinux_child_send(breq, be_ctx->ev, sci);
+    if (child_req == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "selinux_child_send() failed\n");
+        ret = ENOMEM;
+        goto fail;
+    }
+    tevent_req_set_callback(child_req, ipa_selinux_child_done, op_ctx);
+    return;
+
+fail:
+    if (in_transaction) {
+        sret = sysdb_transaction_cancel(sysdb);
+        if (sret != EOK) {
+            DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
+        }
+    }
+    if (ret == EAGAIN) {
+        be_req_terminate(breq, DP_ERR_OFFLINE, EAGAIN, "Offline");
+    } else {
+        be_req_terminate(breq, DP_ERR_FATAL, ret, NULL);
+    }
+}
+
+static void ipa_selinux_child_done(struct tevent_req *child_req)
+{
+    errno_t ret;
+    struct ipa_selinux_op_ctx *op_ctx;
+    struct be_req *breq;
+    struct pam_data *pd;
+    struct be_ctx *be_ctx;
+
+    op_ctx = tevent_req_callback_data(child_req, struct ipa_selinux_op_ctx);
+    breq = op_ctx->be_req;
+    pd = talloc_get_type(be_req_get_data(breq), struct pam_data);
+    be_ctx = be_req_get_be_ctx(breq);
+
+    ret = selinux_child_recv(child_req);
+    talloc_free(child_req);
+    if (ret != EOK) {
+        be_req_terminate(breq, DP_ERR_FATAL, ret, NULL);
+        return;
+    }
+
     /* If we got here in online mode, set last_update to current time */
     if (!be_is_offline(be_ctx)) {
         op_ctx->selinux_ctx->last_update = time(NULL);
@@ -375,20 +455,6 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
 
     pd->pam_status = PAM_SUCCESS;
     be_req_terminate(breq, DP_ERR_OK, EOK, "Success");
-    return;
-
-fail:
-    if (in_transaction) {
-        sret = sysdb_transaction_cancel(sysdb);
-        if (sret != EOK) {
-            DEBUG(SSSDBG_OP_FAILURE, "Could not cancel transaction\n");
-        }
-    }
-    if (ret == EAGAIN) {
-        be_req_terminate(breq, DP_ERR_OFFLINE, EAGAIN, "Offline");
-    } else {
-        be_req_terminate(breq, DP_ERR_FATAL, ret, NULL);
-    }
 }
 
 static errno_t
@@ -652,24 +718,28 @@ done:
     return ret;
 }
 
-static errno_t
-set_seuser_helper(const char *orig_name, struct sss_domain_info *dom,
-                  const char *seuser_mls_string);
-
+static errno_t selinux_child_setup(TALLOC_CTX *mem_ctx,
+                                   const char *orig_name,
+                                   struct sss_domain_info *dom,
+                                   const char *seuser_mls_string,
+                                   struct selinux_child_input **_sci);
 
 /* Choose best selinux user based on given order and write
  * the user to selinux login file. */
-static errno_t choose_best_seuser(struct sysdb_attrs **usermaps,
+static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
+                                  struct sysdb_attrs **usermaps,
                                   struct pam_data *pd,
                                   struct sss_domain_info *user_domain,
                                   struct map_order_ctx *mo_ctx,
-                                  const char *default_user)
+                                  const char *default_user,
+                                  struct selinux_child_input **_sci)
 {
     TALLOC_CTX *tmp_ctx;
     char *seuser_mls_str = NULL;
     const char *tmp_str;
     errno_t ret;
     int i, j;
+    struct selinux_child_input *sci;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -716,15 +786,25 @@ static errno_t choose_best_seuser(struct sysdb_attrs **usermaps,
         }
     }
 
-    ret = set_seuser_helper(pd->user, user_domain, seuser_mls_str);
+    ret = selinux_child_setup(tmp_ctx, pd->user, user_domain, seuser_mls_str, &sci);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Cannot set up child input buffer");
+        goto done;
+    }
+
+    *_sci = talloc_steal(mem_ctx, sci);
+    ret = EOK;
 done:
     talloc_free(tmp_ctx);
     return ret;
 }
 
 static errno_t
-set_seuser_helper(const char *orig_name, struct sss_domain_info *dom,
-                  const char *seuser_mls_string)
+selinux_child_setup(TALLOC_CTX *mem_ctx,
+                    const char *orig_name,
+                    struct sss_domain_info *dom,
+                    const char *seuser_mls_string,
+                    struct selinux_child_input **_sci)
 {
     errno_t ret;
     char *seuser;
@@ -733,6 +813,7 @@ set_seuser_helper(const char *orig_name, struct sss_domain_info *dom,
     char *username;
     char *username_final;
     TALLOC_CTX *tmp_ctx;
+    struct selinux_child_input *sci;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -778,12 +859,300 @@ set_seuser_helper(const char *orig_name, struct sss_domain_info *dom,
         username_final = username;
     }
 
-    ret = set_seuser(username_final, seuser, mls_range);
+    sci = talloc(tmp_ctx, struct selinux_child_input);
+    if (sci == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    sci->seuser = talloc_strdup(sci, seuser);
+    sci->mls_range = talloc_strdup(sci, mls_range);
+    sci->username = talloc_strdup(sci, username);
+    if (sci->seuser == NULL || sci->mls_range == NULL
+        || sci->username == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+
+    *_sci = talloc_steal(mem_ctx, sci);
+    ret = EOK;
 done:
     talloc_free(tmp_ctx);
     return ret;
 }
 
+struct selinux_child_state {
+    struct selinux_child_input *sci;
+    struct tevent_context *ev;
+    struct io_buffer *buf;
+    struct child_io_fds *io;
+};
+
+static errno_t selinux_child_init(void);
+static errno_t selinux_child_create_buffer(struct selinux_child_state *state);
+static errno_t selinux_fork_child(struct selinux_child_state *state);
+static void selinux_child_step(struct tevent_req *subreq);
+static void selinux_child_done(struct tevent_req *subreq);
+static errno_t selinux_child_parse_response(uint8_t *buf, ssize_t len,
+                                            uint32_t *_child_result);
+
+static struct tevent_req *selinux_child_send(TALLOC_CTX *mem_ctx,
+                                             struct tevent_context *ev,
+                                             struct selinux_child_input *sci)
+{
+    struct tevent_req *req;
+    struct tevent_req *subreq;
+    struct selinux_child_state *state;
+    errno_t ret;
+
+    req = tevent_req_create(mem_ctx, &state, struct selinux_child_state);
+    if (req == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "tevent_req_create() failed\n");
+        return NULL;
+    }
+
+    state->sci = sci;
+    state->ev = ev;
+    state->io = talloc(state, struct child_io_fds);
+    state->buf = talloc(state, struct io_buffer);
+    if (state->io == NULL || state->buf == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    state->io->write_to_child_fd = -1;
+    state->io->read_from_child_fd = -1;
+    talloc_set_destructor((void *) state->io, child_io_destructor);
+
+    ret = selinux_child_init();
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to init the child\n");
+        goto immediately;
+    }
+
+    ret = selinux_child_create_buffer(state);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to create the send buffer\n");
+        ret = ENOMEM;
+        goto immediately;
+    }
+
+    ret = selinux_fork_child(state);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, "Failed to fork the child\n");
+        goto immediately;
+    }
+
+    subreq = write_pipe_send(state, ev, state->buf->data, state->buf->size,
+                             state->io->write_to_child_fd);
+    if (subreq == NULL) {
+        ret = ENOMEM;
+        goto immediately;
+    }
+    tevent_req_set_callback(subreq, selinux_child_step, req);
+
+    ret = EOK;
+immediately:
+    if (ret != EOK) {
+        tevent_req_error(req, ret);
+        tevent_req_post(req, ev);
+    }
+    return req;
+}
+
+static errno_t selinux_child_init(void)
+{
+    return child_debug_init(SELINUX_CHILD_LOG_FILE, &selinux_child_debug_fd);
+}
+
+static errno_t selinux_child_create_buffer(struct selinux_child_state *state)
+{
+    size_t rp;
+    size_t seuser_len;
+    size_t mls_range_len;
+    size_t username_len;
+
+    seuser_len = strlen(state->sci->seuser);
+    mls_range_len = strlen(state->sci->mls_range);
+    username_len = strlen(state->sci->username);
+
+    state->buf->size = 3 * sizeof(uint32_t);
+    state->buf->size += seuser_len + mls_range_len + username_len;
+
+    DEBUG(SSSDBG_TRACE_ALL, "buffer size: %zu\n", state->buf->size);
+
+    state->buf->data = talloc_size(state->buf, state->buf->size);
+    if (state->buf->data == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
+        return ENOMEM;
+    }
+
+    rp = 0;
+
+    /* seuser */
+    SAFEALIGN_SET_UINT32(&state->buf->data[rp], seuser_len, &rp);
+    safealign_memcpy(&state->buf->data[rp], state->sci->seuser,
+                     seuser_len, &rp);
+
+    /* mls_range */
+    SAFEALIGN_SET_UINT32(&state->buf->data[rp], mls_range_len, &rp);
+    safealign_memcpy(&state->buf->data[rp], state->sci->mls_range,
+                     mls_range_len, &rp);
+
+    /* username */
+    SAFEALIGN_SET_UINT32(&state->buf->data[rp], username_len, &rp);
+    safealign_memcpy(&state->buf->data[rp], state->sci->username,
+                     username_len, &rp);
+
+    return EOK;
+}
+
+static errno_t selinux_fork_child(struct selinux_child_state *state)
+{
+    int pipefd_to_child[2];
+    int pipefd_from_child[2];
+    pid_t pid;
+    errno_t ret;
+
+    ret = pipe(pipefd_from_child);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "pipe failed [%d][%s].\n", errno, sss_strerror(errno));
+        return ret;
+    }
+
+    ret = pipe(pipefd_to_child);
+    if (ret == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "pipe failed [%d][%s].\n", errno, sss_strerror(errno));
+        return ret;
+    }
+
+    pid = fork();
+
+    if (pid == 0) { /* child */
+        ret = exec_child(state,
+                         pipefd_to_child, pipefd_from_child,
+                         SELINUX_CHILD, selinux_child_debug_fd);
+        DEBUG(SSSDBG_CRIT_FAILURE, "Could not exec selinux_child: [%d][%s].\n",
+              ret, sss_strerror(ret));
+        return ret;
+    } else if (pid > 0) { /* parent */
+        state->io->read_from_child_fd = pipefd_from_child[0];
+        close(pipefd_from_child[1]);
+        state->io->write_to_child_fd = pipefd_to_child[1];
+        close(pipefd_to_child[0]);
+        fd_nonblocking(state->io->read_from_child_fd);
+        fd_nonblocking(state->io->write_to_child_fd);
+
+        ret = child_handler_setup(state->ev, pid, NULL, NULL, NULL);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE,
+                  "Could not set up child signal handler\n");
+            return ret;
+        }
+    } else { /* error */
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "fork failed [%d][%s].\n", errno, sss_strerror(errno));
+        return ret;
+    }
+
+    return EOK;
+}
+
+static void selinux_child_step(struct tevent_req *subreq)
+{
+    struct tevent_req *req;
+    errno_t ret;
+    struct selinux_child_state *state;
+
+
+    req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct selinux_child_state);
+
+    ret = write_pipe_recv(subreq);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    close(state->io->write_to_child_fd);
+    state->io->write_to_child_fd = -1;
+
+    subreq = read_pipe_send(state, state->ev, state->io->read_from_child_fd);
+    if (subreq == NULL) {
+        tevent_req_error(req, ENOMEM);
+        return;
+    }
+    tevent_req_set_callback(subreq, selinux_child_done, req);
+}
+
+static void selinux_child_done(struct tevent_req *subreq)
+{
+    struct tevent_req *req;
+    struct selinux_child_state *state;
+    uint32_t child_result;
+    errno_t ret;
+    ssize_t len;
+    uint8_t *buf;
+
+    req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct selinux_child_state);
+
+    ret = read_pipe_recv(subreq, state, &buf, &len);
+    talloc_zfree(subreq);
+    if (ret != EOK) {
+        tevent_req_error(req, ret);
+        return;
+    }
+
+    close(state->io->read_from_child_fd);
+    state->io->read_from_child_fd = -1;
+
+    ret = selinux_child_parse_response(buf, len, &child_result);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "selinux_child_parse_response failed: [%d][%s]\n",
+              ret, strerror(ret));
+        tevent_req_error(req, ret);
+        return;
+    } else if (child_result != 0){
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "Error in selinux_child: [%d][%s]\n",
+              child_result, strerror(child_result));
+        tevent_req_error(req, ERR_SELINUX_CONTEXT);
+        return;
+    }
+
+    tevent_req_done(req);
+    return;
+}
+
+static errno_t selinux_child_parse_response(uint8_t *buf,
+                                            ssize_t len,
+                                            uint32_t *_child_result)
+{
+    size_t p = 0;
+    uint32_t child_result;
+
+    /* semanage retval */
+    SAFEALIGN_COPY_UINT32_CHECK(&child_result, buf + p, len, &p);
+
+    *_child_result = child_result;
+    return EOK;
+}
+
+static errno_t selinux_child_recv(struct tevent_req *req)
+{
+    TEVENT_REQ_RETURN_ON_ERROR(req);
+    return EOK;
+}
+
 /* A more generic request to gather all SELinux and HBAC rules. Updates
  * cache if necessary
  */
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
new file mode 100644
index 0000000000000000000000000000000000000000..a624cfd30d6795c305b7673d849213c74de95cd8
--- /dev/null
+++ b/src/providers/ipa/selinux_child.c
@@ -0,0 +1,272 @@
+/*
+    SSSD
+
+    IPA back end -- set SELinux context in a child module
+
+    Authors:
+        Jakub Hrozek <jhrozek@redhat.com>
+
+    Copyright (C) 2014 Red Hat
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <popt.h>
+
+#include "util/util.h"
+#include "util/child_common.h"
+#include "providers/dp_backend.h"
+
+struct input_buffer {
+    const char *seuser;
+    const char *mls_range;
+    const char *username;
+};
+
+static errno_t unpack_buffer(uint8_t *buf,
+                             size_t size,
+                             struct input_buffer *ibuf)
+{
+    size_t p = 0;
+    uint32_t len;
+
+    /* seuser */
+    SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
+    if (len == 0) {
+        return EINVAL;
+    } else {
+        if ((p + len ) > size) return EINVAL;
+        ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
+        if (ibuf->seuser == NULL) return ENOMEM;
+        DEBUG(SSSDBG_TRACE_INTERNAL, "seuser: %s\n", ibuf->seuser);
+        p += len;
+    }
+
+    /* MLS range */
+    SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
+    if (len == 0) {
+        return EINVAL;
+    } else {
+        if ((p + len ) > size) return EINVAL;
+        ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
+        if (ibuf->mls_range == NULL) return ENOMEM;
+        DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range: %s\n", ibuf->mls_range);
+        p += len;
+    }
+
+    /* username */
+    SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+    DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
+    if (len == 0) {
+        return EINVAL;
+    } else {
+        if ((p + len ) > size) return EINVAL;
+        ibuf->username = talloc_strndup(ibuf, (char *)(buf + p), len);
+        if (ibuf->username == NULL) return ENOMEM;
+        DEBUG(SSSDBG_TRACE_INTERNAL, "username: %s\n", ibuf->username);
+        p += len;
+    }
+
+    return EOK;
+}
+
+static errno_t pack_buffer(struct response *r, int result)
+{
+    size_t p = 0;
+
+    /* A buffer with the following structure must be created:
+     *   uint32_t status of the request (required)
+     */
+    r->size =  sizeof(uint32_t);
+
+    r->buf = talloc_array(r, uint8_t, r->size);
+    if(r->buf == NULL) {
+        return ENOMEM;
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "result [%d]\n", result);
+
+    /* result */
+    SAFEALIGN_SET_UINT32(&r->buf[p], result, &p);
+
+    return EOK;
+}
+
+static errno_t prepare_response(TALLOC_CTX *mem_ctx,
+                                int result,
+                                struct response **rsp)
+{
+    int ret;
+    struct response *r = NULL;
+
+    r = talloc_zero(mem_ctx, struct response);
+    if (r == NULL) {
+        return ENOMEM;
+    }
+
+    r->buf = NULL;
+    r->size = 0;
+
+    ret = pack_buffer(r, result);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n");
+        return ret;
+    }
+
+    *rsp = r;
+    DEBUG(SSSDBG_TRACE_ALL, "r->size: %zu\n", r->size);
+    return EOK;
+}
+
+int main(int argc, const char *argv[])
+{
+    int opt;
+    poptContext pc;
+    int debug_fd = -1;
+    errno_t ret;
+    TALLOC_CTX *main_ctx = NULL;
+    uint8_t *buf = NULL;
+    ssize_t len = 0;
+    struct input_buffer *ibuf = NULL;
+    struct response *resp = NULL;
+    size_t written;
+
+    struct poptOption long_options[] = {
+        POPT_AUTOHELP
+        {"debug-level", 'd', POPT_ARG_INT, &debug_level, 0,
+         _("Debug level"), NULL},
+        {"debug-timestamps", 0, POPT_ARG_INT, &debug_timestamps, 0,
+         _("Add debug timestamps"), NULL},
+        {"debug-microseconds", 0, POPT_ARG_INT, &debug_microseconds, 0,
+         _("Show timestamps with microseconds"), NULL},
+        {"debug-fd", 0, POPT_ARG_INT, &debug_fd, 0,
+         _("An open file descriptor for the debug logs"), NULL},
+        {"debug-to-stderr", 0, POPT_ARG_NONE | POPT_ARGFLAG_DOC_HIDDEN,
+         &debug_to_stderr, 0,
+         _("Send the debug output to stderr directly."), NULL },
+        POPT_TABLEEND
+    };
+
+    /* Set debug level to invalid value so we can decide if -d 0 was used. */
+    debug_level = SSSDBG_INVALID;
+
+    pc = poptGetContext(argv[0], argc, argv, long_options, 0);
+    while((opt = poptGetNextOpt(pc)) != -1) {
+        switch(opt) {
+        default:
+        fprintf(stderr, "\nInvalid option %s: %s\n\n",
+                  poptBadOption(pc, 0), poptStrerror(opt));
+            poptPrintUsage(pc, stderr, 0);
+            _exit(-1);
+        }
+    }
+
+    poptFreeContext(pc);
+
+    DEBUG_INIT(debug_level);
+
+    debug_prg_name = talloc_asprintf(NULL, "[sssd[selinux_child[%d]]]", getpid());
+    if (debug_prg_name == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
+        goto fail;
+    }
+
+    if (debug_fd != -1) {
+        ret = set_debug_file_from_fd(debug_fd);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "set_debug_file_from_fd failed.\n");
+        }
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+
+    main_ctx = talloc_new(NULL);
+    if (main_ctx == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_new failed.\n");
+        talloc_free(discard_const(debug_prg_name));
+        goto fail;
+    }
+    talloc_steal(main_ctx, debug_prg_name);
+
+    buf = talloc_size(main_ctx, sizeof(uint8_t)*IN_BUF_SIZE);
+    if (buf == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_size failed.\n");
+        goto fail;
+    }
+
+    ibuf = talloc_zero(main_ctx, struct input_buffer);
+    if (ibuf == NULL) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "talloc_zero failed.\n");
+        goto fail;
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "context initialized\n");
+
+    errno = 0;
+    len = sss_atomic_read_s(STDIN_FILENO, buf, IN_BUF_SIZE);
+    if (len == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE, "read failed [%d][%s].\n", ret, strerror(ret));
+        goto fail;
+    }
+
+    close(STDIN_FILENO);
+
+    ret = unpack_buffer(buf, len, ibuf);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_CRIT_FAILURE,
+              "unpack_buffer failed.[%d][%s].\n", ret, strerror(ret));
+        goto fail;
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n");
+
+    ret = set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
+
+    ret = prepare_response(main_ctx, ret, &resp);
+
+    errno = 0;
+
+    written = sss_atomic_write_s(STDOUT_FILENO, resp->buf, resp->size);
+    if (written == -1) {
+        ret = errno;
+        DEBUG(SSSDBG_CRIT_FAILURE, "write failed [%d][%s].\n", ret,
+                    strerror(ret));
+        goto fail;
+    }
+
+    if (written != resp->size) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "Expected to write %zu bytes, wrote %zu\n",
+              resp->size, written);
+        goto fail;
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "selinux_child completed successfully\n");
+    close(STDOUT_FILENO);
+    talloc_free(main_ctx);
+    return EXIT_SUCCESS;
+fail:
+    DEBUG(SSSDBG_CRIT_FAILURE, "selinux_child failed!\n");
+    close(STDOUT_FILENO);
+    talloc_free(main_ctx);
+    return EXIT_FAILURE;
+}
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 5b36780ffcdc6733241cdb942865ecdf38da3bca..d5da64622eebe7f779816c7f2090da5b9a9b13f0 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -62,6 +62,7 @@ struct err_string error_to_str[] = {
     { "Bus method not supported" }, /* ERR_SBUS_NOSUP */
     { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
     { "LDAP search returned a referral" }, /* ERR_REFERRAL */
+    { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
 };
 
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index e040ba903b27d06ec75cea31485d2f3111ca5302..2bc576605e613d674d38b54aae1604c0b044635f 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -84,6 +84,7 @@ enum sssd_errors {
     ERR_SBUS_NOSUP,
     ERR_NO_SYSBUS,
     ERR_REFERRAL,
+    ERR_SELINUX_CONTEXT,
     ERR_LAST            /* ALWAYS LAST */
 };
 
-- 
1.9.3