|
 |
ca1eb8 |
From 663fdd3897c5da1a54fcb51613bd71660ef9b19a Mon Sep 17 00:00:00 2001
|
|
|
ca1eb8 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
ca1eb8 |
Date: Wed, 20 Jun 2018 22:02:57 +0200
|
|
|
ca1eb8 |
Subject: [PATCH] SELINUX: Also call is_selinux_enabled as a check for selinux
|
|
|
ca1eb8 |
child
|
|
|
ca1eb8 |
MIME-Version: 1.0
|
|
|
ca1eb8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ca1eb8 |
Content-Transfer-Encoding: 8bit
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Resolves:
|
|
|
ca1eb8 |
https://pagure.io/SSSD/sssd/issue/3796
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
The SSSD selinux management routines were only checking if SELinux is
|
|
|
ca1eb8 |
managed on the system. If it is managed, the code tries to proceed and
|
|
|
ca1eb8 |
set the login context, otherwise an error is returned which SSSD handles
|
|
|
ca1eb8 |
gracefully.
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
But this is not enough, in some cases SELinux might be disabled, but
|
|
|
ca1eb8 |
managed and in these cases SSSD was returning strange errors, which
|
|
|
ca1eb8 |
might have prevented login with selinux provider in effect.
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
We got this hint form the RH SELinux maintainer:
|
|
|
ca1eb8 |
"""
|
|
|
ca1eb8 |
libsemanage is for managing SELinux infrastructure. generally if there's
|
|
|
ca1eb8 |
/etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux
|
|
|
ca1eb8 |
module store - /etc/selinux/<SELINUXTYPE>/active (or
|
|
|
ca1eb8 |
/var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can
|
|
|
ca1eb8 |
manage it even when SELinux is disabled.
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
I'm not sure if selinux_child doesn any is_selinux_enabled() checks but
|
|
|
ca1eb8 |
it could help to avoid such situations.
|
|
|
ca1eb8 |
"""
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
|
|
|
ca1eb8 |
(cherry picked from commit 1e81d040c75b2b15cab48fb7df1041138747e6c3)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
DOWNSTREAM:
|
|
|
ca1eb8 |
Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled
|
|
|
ca1eb8 |
---
|
|
|
ca1eb8 |
src/util/sss_semanage.c | 4 ++++
|
|
|
ca1eb8 |
1 file changed, 4 insertions(+)
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
|
ca1eb8 |
index 7b0eef22330db8df6ab8f46da5fb76c68f6adabc..bcce57b603bd1c4d5c6465dbb5cc7a3fbe72412d 100644
|
|
|
ca1eb8 |
--- a/src/util/sss_semanage.c
|
|
|
ca1eb8 |
+++ b/src/util/sss_semanage.c
|
|
|
ca1eb8 |
@@ -82,6 +82,10 @@ static int sss_is_selinux_managed(semanage_handle_t *handle)
|
|
|
ca1eb8 |
return EINVAL;
|
|
|
ca1eb8 |
}
|
|
|
ca1eb8 |
|
|
|
ca1eb8 |
+ if (!is_selinux_enabled()) {
|
|
|
ca1eb8 |
+ return ERR_SELINUX_NOT_MANAGED;
|
|
|
ca1eb8 |
+ }
|
|
|
ca1eb8 |
+
|
|
|
ca1eb8 |
ret = semanage_is_managed(handle);
|
|
|
ca1eb8 |
if (ret == 0) {
|
|
|
ca1eb8 |
DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
|
|
|
ca1eb8 |
--
|
|
|
ca1eb8 |
2.17.1
|
|
|
ca1eb8 |
|