|
 |
0d602d |
From e7e942ceb1f8402d00f5f14a9e065d3fc434b711 Mon Sep 17 00:00:00 2001
|
|
|
0d602d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
0d602d |
Date: Thu, 23 Aug 2018 13:55:51 +0200
|
|
|
0d602d |
Subject: [PATCH] SELINUX: Always add SELinux user to the semanage database if
|
|
|
0d602d |
it doesn't exist
|
|
|
0d602d |
MIME-Version: 1.0
|
|
|
0d602d |
Content-Type: text/plain; charset=UTF-8
|
|
|
0d602d |
Content-Transfer-Encoding: 8bit
|
|
|
0d602d |
|
|
|
0d602d |
Previously, we tried to optimize too much and only set the SELinux user
|
|
|
0d602d |
to Linux user mapping in case the SELinux user was different from the
|
|
|
0d602d |
system default. But this doesn't work for the case where the Linux user
|
|
|
0d602d |
has a non-standard home directory, because then SELinux would not have
|
|
|
0d602d |
any idea that this user's home directory should be labeled as a home
|
|
|
0d602d |
directory.
|
|
|
0d602d |
|
|
|
0d602d |
This patch relaxes the optimization in the sense that on the first
|
|
|
0d602d |
login, the SELinux context is saved regardless of whether it is the same
|
|
|
0d602d |
as the default or different.
|
|
|
0d602d |
|
|
|
0d602d |
Resolves:
|
|
|
0d602d |
https://pagure.io/SSSD/sssd/issue/3819
|
|
|
0d602d |
|
|
|
0d602d |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
0d602d |
(cherry picked from commit 945865ae16120ffade267227ca48cefd58822fd2)
|
|
|
0d602d |
---
|
|
|
0d602d |
src/providers/ipa/selinux_child.c | 10 ++++++++--
|
|
|
0d602d |
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
|
|
|
0d602d |
src/util/util.h | 1 +
|
|
|
0d602d |
src/util/util_errors.c | 1 +
|
|
|
0d602d |
src/util/util_errors.h | 1 +
|
|
|
0d602d |
5 files changed, 41 insertions(+), 2 deletions(-)
|
|
|
0d602d |
|
|
|
0d602d |
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
|
0d602d |
index d061417..925591e 100644
|
|
|
0d602d |
--- a/src/providers/ipa/selinux_child.c
|
|
|
0d602d |
+++ b/src/providers/ipa/selinux_child.c
|
|
|
0d602d |
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
|
|
|
0d602d |
|
|
|
0d602d |
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
|
|
|
0d602d |
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
0d602d |
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
|
|
|
0d602d |
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
|
|
|
0d602d |
ret, db_seuser ? db_seuser : "unknown",
|
|
|
0d602d |
db_mls_range ? db_mls_range : "unknown");
|
|
|
0d602d |
if (ret == EOK && db_seuser && db_mls_range &&
|
|
|
0d602d |
strcmp(db_seuser, seuser) == 0 &&
|
|
|
0d602d |
strcmp(db_mls_range, mls_range) == 0) {
|
|
|
0d602d |
- needs_update = false;
|
|
|
0d602d |
+ ret = sss_seuser_exists(username);
|
|
|
0d602d |
+ if (ret == EOK) {
|
|
|
0d602d |
+ needs_update = false;
|
|
|
0d602d |
+ }
|
|
|
0d602d |
}
|
|
|
0d602d |
/* OR */
|
|
|
0d602d |
if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
|
0d602d |
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
|
|
|
0d602d |
|
|
|
0d602d |
free(db_seuser);
|
|
|
0d602d |
free(db_mls_range);
|
|
|
0d602d |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
0d602d |
+ "The SELinux user does %sneed an update\n",
|
|
|
0d602d |
+ needs_update ? "" : "not ");
|
|
|
0d602d |
return needs_update;
|
|
|
0d602d |
}
|
|
|
0d602d |
|
|
|
0d602d |
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
|
0d602d |
index bcce57b..aea0385 100644
|
|
|
0d602d |
--- a/src/util/sss_semanage.c
|
|
|
0d602d |
+++ b/src/util/sss_semanage.c
|
|
|
0d602d |
@@ -248,6 +248,36 @@ done:
|
|
|
0d602d |
return ret;
|
|
|
0d602d |
}
|
|
|
0d602d |
|
|
|
0d602d |
+int sss_seuser_exists(const char *linuxuser)
|
|
|
0d602d |
+{
|
|
|
0d602d |
+ int ret;
|
|
|
0d602d |
+ int exists;
|
|
|
0d602d |
+ semanage_seuser_key_t *sm_key = NULL;
|
|
|
0d602d |
+ semanage_handle_t *sm_handle = NULL;
|
|
|
0d602d |
+
|
|
|
0d602d |
+ ret = sss_semanage_init(&sm_handle);
|
|
|
0d602d |
+ if (ret != EOK) {
|
|
|
0d602d |
+ return ret;
|
|
|
0d602d |
+ }
|
|
|
0d602d |
+
|
|
|
0d602d |
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
|
|
|
0d602d |
+ if (ret < 0) {
|
|
|
0d602d |
+ sss_semanage_close(sm_handle);
|
|
|
0d602d |
+ return EIO;
|
|
|
0d602d |
+ }
|
|
|
0d602d |
+
|
|
|
0d602d |
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists;;
|
|
|
0d602d |
+ semanage_seuser_key_free(sm_key);
|
|
|
0d602d |
+ sss_semanage_close(sm_handle);
|
|
|
0d602d |
+ if (ret < 0) {
|
|
|
0d602d |
+ return EIO;
|
|
|
0d602d |
+ }
|
|
|
0d602d |
+
|
|
|
0d602d |
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
|
|
|
0d602d |
+
|
|
|
0d602d |
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
|
|
|
0d602d |
+}
|
|
|
0d602d |
+
|
|
|
0d602d |
int sss_get_seuser(const char *linuxuser,
|
|
|
0d602d |
char **selinuxuser,
|
|
|
0d602d |
char **level)
|
|
|
0d602d |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
0d602d |
index bc89ecb..c78615b 100644
|
|
|
0d602d |
--- a/src/util/util.h
|
|
|
0d602d |
+++ b/src/util/util.h
|
|
|
0d602d |
@@ -660,6 +660,7 @@ int sss_del_seuser(const char *login_name);
|
|
|
0d602d |
int sss_get_seuser(const char *linuxuser,
|
|
|
0d602d |
char **selinuxuser,
|
|
|
0d602d |
char **level);
|
|
|
0d602d |
+int sss_seuser_exists(const char *linuxuser);
|
|
|
0d602d |
|
|
|
0d602d |
/* convert time from generalized form to unix time */
|
|
|
0d602d |
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
|
|
|
0d602d |
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
|
0d602d |
index e2bb2a0..e5c5bd1 100644
|
|
|
0d602d |
--- a/src/util/util_errors.c
|
|
|
0d602d |
+++ b/src/util/util_errors.c
|
|
|
0d602d |
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
|
|
|
0d602d |
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
|
|
|
0d602d |
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
|
|
|
0d602d |
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
|
|
|
0d602d |
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
|
|
|
0d602d |
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
|
|
|
0d602d |
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
|
|
|
0d602d |
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
|
|
|
0d602d |
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
|
0d602d |
index 4950172..a4760a1 100644
|
|
|
0d602d |
--- a/src/util/util_errors.h
|
|
|
0d602d |
+++ b/src/util/util_errors.h
|
|
|
0d602d |
@@ -97,6 +97,7 @@ enum sssd_errors {
|
|
|
0d602d |
ERR_REFERRAL,
|
|
|
0d602d |
ERR_SELINUX_CONTEXT,
|
|
|
0d602d |
ERR_SELINUX_NOT_MANAGED,
|
|
|
0d602d |
+ ERR_SELINUX_USER_NOT_FOUND,
|
|
|
0d602d |
ERR_REGEX_NOMATCH,
|
|
|
0d602d |
ERR_TIMESPEC_NOT_SUPPORTED,
|
|
|
0d602d |
ERR_INVALID_CONFIG,
|
|
|
0d602d |
--
|
|
|
0d602d |
2.9.5
|
|
|
0d602d |
|