From 06c13c32faff1d9dcb5156f496a4848bfe1f1462 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Thu, 23 Aug 2018 13:55:51 +0200

Subject: [PATCH 22/28] SELINUX: Always add SELinux user to the semanage

 database if it doesn't exist

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Previously, we tried to optimize too much and only set the SELinux user

to Linux user mapping in case the SELinux user was different from the

system default. But this doesn't work for the case where the Linux user

has a non-standard home directory, because then SELinux would not have

any idea that this user's home directory should be labeled as a home

directory.

This patch relaxes the optimization in the sense that on the first

login, the SELinux context is saved regardless of whether it is the same

as the default or different.

Resolves:

https://pagure.io/SSSD/sssd/issue/3819

Reviewed-by: Michal Židek <mzidek@redhat.com>

(cherry picked from commit 945865ae16120ffade267227ca48cefd58822fd2)

---

 src/providers/ipa/selinux_child.c | 10 ++++++++--

 src/util/sss_semanage.c           | 30 ++++++++++++++++++++++++++++++

 src/util/util.h                   |  1 +

 src/util/util_errors.c            |  1 +

 src/util/util_errors.h            |  1 +

 5 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c

index d061417a5a30aacb231d973fa1aa7ddab869fc51..925591ec902d3b6f3b687fcb4a5f160b1b1d9a8d 100644

--- a/src/providers/ipa/selinux_child.c

+++ b/src/providers/ipa/selinux_child.c

@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,

     ret = sss_get_seuser(username, &db_seuser, &db_mls_range);

     DEBUG(SSSDBG_TRACE_INTERNAL,

-          "getseuserbyname: ret: %d seuser: %s mls: %s\n",

+          "sss_get_seuser: ret: %d seuser: %s mls: %s\n",

           ret, db_seuser ? db_seuser : "unknown",

           db_mls_range ? db_mls_range : "unknown");

     if (ret == EOK && db_seuser && db_mls_range &&

             strcmp(db_seuser, seuser) == 0 &&

             strcmp(db_mls_range, mls_range) == 0) {

-        needs_update = false;

+        ret = sss_seuser_exists(username);

+        if (ret == EOK) {

+            needs_update = false;

+        }

     }

     /* OR */

     if (ret == ERR_SELINUX_NOT_MANAGED) {

@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,

     free(db_seuser);

     free(db_mls_range);

+    DEBUG(SSSDBG_TRACE_FUNC,

+          "The SELinux user does %sneed an update\n",

+          needs_update ? "" : "not ");

     return needs_update;

 }

diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c

index bcce57b603bd1c4d5c6465dbb5cc7a3fbe72412d..aea03852ac07dd344b6170d7ec2a030f30e0f202 100644

--- a/src/util/sss_semanage.c

+++ b/src/util/sss_semanage.c

@@ -248,6 +248,36 @@ done:

     return ret;

 }

+int sss_seuser_exists(const char *linuxuser)

+{

+    int ret;

+    int exists;

+    semanage_seuser_key_t *sm_key = NULL;

+    semanage_handle_t *sm_handle = NULL;

+

+    ret = sss_semanage_init(&sm_handle);

+    if (ret != EOK) {

+        return ret;

+    }

+

+    ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);

+    if (ret < 0) {

+        sss_semanage_close(sm_handle);

+        return EIO;

+    }

+

+    ret = semanage_seuser_exists(sm_handle, sm_key, &exists;;

+    semanage_seuser_key_free(sm_key);

+    sss_semanage_close(sm_handle);

+    if (ret < 0) {

+        return EIO;

+    }

+

+    DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");

+

+    return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;

+}

+

 int sss_get_seuser(const char *linuxuser,

                    char **selinuxuser,

                    char **level)

diff --git a/src/util/util.h b/src/util/util.h

index 867acf26fff18becb01397697ea6dde2961d9ece..59e7a96ba58aa9400166514064922d25fb713deb 100644

--- a/src/util/util.h

+++ b/src/util/util.h

@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);

 int sss_get_seuser(const char *linuxuser,

                    char **selinuxuser,

                    char **level);

+int sss_seuser_exists(const char *linuxuser);

 /* convert time from generalized form to unix time */

 errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);

diff --git a/src/util/util_errors.c b/src/util/util_errors.c

index 920a178615bef081c9fd035570e661ba6438350a..5f8a2a29ab5af44432c01a85c02f61ece3cdc8b5 100644

--- a/src/util/util_errors.c

+++ b/src/util/util_errors.c

@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {

     { "LDAP search returned a referral" }, /* ERR_REFERRAL */

     { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */

     { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */

+    { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */

     { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */

     { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */

     { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */

diff --git a/src/util/util_errors.h b/src/util/util_errors.h

index 5a509362616248ec3f688e28996ec4b6e25ee131..c6731d4f999bdadcef2bb65a6be199d0db009674 100644

--- a/src/util/util_errors.h

+++ b/src/util/util_errors.h

@@ -97,6 +97,7 @@ enum sssd_errors {

     ERR_REFERRAL,

     ERR_SELINUX_CONTEXT,

     ERR_SELINUX_NOT_MANAGED,

+    ERR_SELINUX_USER_NOT_FOUND,

     ERR_REGEX_NOMATCH,

     ERR_TIMESPEC_NOT_SUPPORTED,

     ERR_INVALID_CONFIG,

--

2.14.4