From 20dd4c33d226862d124b2f010181550e820df5f8 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Tue, 27 Jan 2015 11:12:18 +0100 Subject: [PATCH 183/183] SELINUX: Set and reset umask when caling set_seuser from deamon code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek (cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6) --- src/providers/ipa/selinux_child.c | 18 +++++++++++++++++- src/util/util.h | 4 ++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index bda89c847dc160e1d667d333ee515cf7260e7db8..d4670389667607972dd6f072b5ddfda5973e082b 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -135,6 +135,22 @@ static errno_t prepare_response(TALLOC_CTX *mem_ctx, return EOK; } +static int sc_set_seuser(const char *login_name, const char *seuser_name, + const char *mls) +{ + int ret; + mode_t old_mask; + + /* This is a workaround for + * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure + * the directories are created with the expected permissions + */ + old_mask = umask(0); + ret = set_seuser(login_name, seuser_name, mls); + umask(old_mask); + return ret; +} + int main(int argc, const char *argv[]) { int opt; @@ -256,7 +272,7 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n"); - ret = set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); + ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n"); goto fail; diff --git a/src/util/util.h b/src/util/util.h index 23624c8156a053bc6c30bda9796029af3da62d3a..bf3a9a057aed77e93949370f8651af2631d91432 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -628,6 +628,10 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, errno_t restore_creds(struct sss_creds *saved_creds); /* from sss_semanage.c */ +/* Please note that libsemange relies on files and directories created with + * certain permissions. Therefore the caller should make sure the umask is + * not too restricted (especially when called from the daemon code). + */ int set_seuser(const char *login_name, const char *seuser_name, const char *mlsrange); int del_seuser(const char *login_name); -- 2.1.0