|
 |
ecf709 |
From 9b7c29b67ec845b2004d6bcac2bcceabfd855f1e Mon Sep 17 00:00:00 2001
|
|
|
ecf709 |
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
|
ecf709 |
Date: Wed, 8 Feb 2017 12:01:37 +0100
|
|
|
ecf709 |
Subject: [PATCH 101/101] selinux: Do not fail if SELinux is not managed
|
|
|
ecf709 |
MIME-Version: 1.0
|
|
|
ecf709 |
Content-Type: text/plain; charset=UTF-8
|
|
|
ecf709 |
Content-Transfer-Encoding: 8bit
|
|
|
ecf709 |
|
|
|
ecf709 |
Previously we failed if semanage_is_managed returned 0 or -1 (not
|
|
|
ecf709 |
managed or error). With this patch we only fail in case of error and
|
|
|
ecf709 |
continue normally if selinux is not managed by libsemanage at all.
|
|
|
ecf709 |
|
|
|
ecf709 |
Resolves:
|
|
|
ecf709 |
https://fedorahosted.org/sssd/ticket/3297
|
|
|
ecf709 |
|
|
|
ecf709 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
ecf709 |
(cherry picked from commit 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33)
|
|
|
ecf709 |
---
|
|
|
ecf709 |
Makefile.am | 1 +
|
|
|
ecf709 |
src/providers/ipa/selinux_child.c | 9 ++++--
|
|
|
ecf709 |
src/util/sss_semanage.c | 61 +++++++++++++++++++++++++--------------
|
|
|
ecf709 |
src/util/util_errors.c | 1 +
|
|
|
ecf709 |
src/util/util_errors.h | 1 +
|
|
|
ecf709 |
5 files changed, 49 insertions(+), 24 deletions(-)
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/Makefile.am b/Makefile.am
|
|
|
ecf709 |
index f5ac363a35e4aae51e8b70bad27c7fc824be10f2..370d6442ec58a14946ad288a23c696f25ca98f47 100644
|
|
|
ecf709 |
--- a/Makefile.am
|
|
|
ecf709 |
+++ b/Makefile.am
|
|
|
ecf709 |
@@ -4040,6 +4040,7 @@ selinux_child_SOURCES = \
|
|
|
ecf709 |
src/util/atomic_io.c \
|
|
|
ecf709 |
src/util/util.c \
|
|
|
ecf709 |
src/util/util_ext.c \
|
|
|
ecf709 |
+ src/util/util_errors.c
|
|
|
ecf709 |
$(NULL)
|
|
|
ecf709 |
selinux_child_CFLAGS = \
|
|
|
ecf709 |
$(AM_CFLAGS) \
|
|
|
ecf709 |
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
|
ecf709 |
index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644
|
|
|
ecf709 |
--- a/src/providers/ipa/selinux_child.c
|
|
|
ecf709 |
+++ b/src/providers/ipa/selinux_child.c
|
|
|
ecf709 |
@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
|
|
|
ecf709 |
DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
ecf709 |
- "get_seuser: ret: %d seuser: %s mls: %s\n",
|
|
|
ecf709 |
- ret, db_seuser ? db_seuser : "unknown",
|
|
|
ecf709 |
+ "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
|
|
|
ecf709 |
+ ret, sss_strerror(ret),
|
|
|
ecf709 |
+ db_seuser ? db_seuser : "unknown",
|
|
|
ecf709 |
db_mls_range ? db_mls_range : "unknown");
|
|
|
ecf709 |
if (ret == EOK && db_seuser && db_mls_range &&
|
|
|
ecf709 |
strcmp(db_seuser, ibuf->seuser) == 0 &&
|
|
|
ecf709 |
strcmp(db_mls_range, ibuf->mls_range) == 0) {
|
|
|
ecf709 |
needs_update = false;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
+ /* OR */
|
|
|
ecf709 |
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
|
ecf709 |
+ needs_update = false;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
|
|
|
ecf709 |
talloc_free(db_seuser);
|
|
|
ecf709 |
talloc_free(db_mls_range);
|
|
|
ecf709 |
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
|
|
|
ecf709 |
index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644
|
|
|
ecf709 |
--- a/src/util/sss_semanage.c
|
|
|
ecf709 |
+++ b/src/util/sss_semanage.c
|
|
|
ecf709 |
@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle)
|
|
|
ecf709 |
semanage_handle_destroy(handle);
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
-static semanage_handle_t *sss_semanage_init(void)
|
|
|
ecf709 |
+static int sss_semanage_init(semanage_handle_t **_handle)
|
|
|
ecf709 |
{
|
|
|
ecf709 |
int ret;
|
|
|
ecf709 |
semanage_handle_t *handle = NULL;
|
|
|
ecf709 |
@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void)
|
|
|
ecf709 |
handle = semanage_handle_create();
|
|
|
ecf709 |
if (!handle) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
|
|
|
ecf709 |
- return NULL;
|
|
|
ecf709 |
+ ret = EIO;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
semanage_msg_set_callback(handle,
|
|
|
ecf709 |
@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void)
|
|
|
ecf709 |
NULL);
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = semanage_is_managed(handle);
|
|
|
ecf709 |
- if (ret != 1) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
|
|
|
ecf709 |
- goto fail;
|
|
|
ecf709 |
+ if (ret == 0) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
|
|
|
ecf709 |
+ ret = ERR_SELINUX_NOT_MANAGED;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ } else if (ret == -1) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n");
|
|
|
ecf709 |
+ ret = EIO;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = semanage_access_check(handle);
|
|
|
ecf709 |
if (ret < SEMANAGE_CAN_READ) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
|
|
|
ecf709 |
- goto fail;
|
|
|
ecf709 |
+ ret = EACCES;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
ret = semanage_connect(handle);
|
|
|
ecf709 |
if (ret != 0) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
ecf709 |
"Cannot estabilish SELinux management connection\n");
|
|
|
ecf709 |
- goto fail;
|
|
|
ecf709 |
+ ret = EIO;
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- return handle;
|
|
|
ecf709 |
-fail:
|
|
|
ecf709 |
- sss_semanage_close(handle);
|
|
|
ecf709 |
- return NULL;
|
|
|
ecf709 |
+ ret = EOK;
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+done:
|
|
|
ecf709 |
+ if (ret != EOK) {
|
|
|
ecf709 |
+ sss_semanage_close(handle);
|
|
|
ecf709 |
+ } else {
|
|
|
ecf709 |
+ *_handle = handle;
|
|
|
ecf709 |
+ }
|
|
|
ecf709 |
+
|
|
|
ecf709 |
+ return ret;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
static int sss_semanage_user_add(semanage_handle_t *handle,
|
|
|
ecf709 |
@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name,
|
|
|
ecf709 |
return EOK;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
- handle = sss_semanage_init();
|
|
|
ecf709 |
- if (!handle) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
|
|
|
ecf709 |
- ret = EIO;
|
|
|
ecf709 |
+ ret = sss_semanage_init(&handle);
|
|
|
ecf709 |
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ } else if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -295,10 +310,11 @@ int del_seuser(const char *login_name)
|
|
|
ecf709 |
int ret;
|
|
|
ecf709 |
int exists = 0;
|
|
|
ecf709 |
|
|
|
ecf709 |
- handle = sss_semanage_init();
|
|
|
ecf709 |
- if (!handle) {
|
|
|
ecf709 |
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
|
|
|
ecf709 |
- ret = EIO;
|
|
|
ecf709 |
+ ret = sss_semanage_init(&handle);
|
|
|
ecf709 |
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ } else if (ret != EOK) {
|
|
|
ecf709 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
|
|
|
ecf709 |
semanage_seuser_t *sm_user = NULL;
|
|
|
ecf709 |
semanage_seuser_key_t *sm_key = NULL;
|
|
|
ecf709 |
|
|
|
ecf709 |
- sm_handle = sss_semanage_init();
|
|
|
ecf709 |
- if (sm_handle == NULL) {
|
|
|
ecf709 |
+ ret = sss_semanage_init(&sm_handle);
|
|
|
ecf709 |
+ if (ret == ERR_SELINUX_NOT_MANAGED) {
|
|
|
ecf709 |
+ goto done;
|
|
|
ecf709 |
+ } else if (ret != EOK) {
|
|
|
ecf709 |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
|
|
|
ecf709 |
- ret = EIO;
|
|
|
ecf709 |
goto done;
|
|
|
ecf709 |
}
|
|
|
ecf709 |
|
|
|
ecf709 |
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
|
|
|
ecf709 |
index 466a3b4062f39b29d831a5d8a62dc8d576eb2e97..97eaf160f20bcc8cfe52254070a2d182e19addd4 100644
|
|
|
ecf709 |
--- a/src/util/util_errors.c
|
|
|
ecf709 |
+++ b/src/util/util_errors.c
|
|
|
ecf709 |
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
|
|
|
ecf709 |
{ "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
|
|
|
ecf709 |
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
|
|
|
ecf709 |
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
|
|
|
ecf709 |
+ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
|
|
|
ecf709 |
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
|
|
|
ecf709 |
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
|
|
|
ecf709 |
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
|
|
|
ecf709 |
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
|
|
|
ecf709 |
index 2f90c0a5d65325a431a8e4d9a480170808c9198e..4a250bf0339ba689680c155fa8e6d43f42c2467e 100644
|
|
|
ecf709 |
--- a/src/util/util_errors.h
|
|
|
ecf709 |
+++ b/src/util/util_errors.h
|
|
|
ecf709 |
@@ -97,6 +97,7 @@ enum sssd_errors {
|
|
|
ecf709 |
ERR_NO_SYSBUS,
|
|
|
ecf709 |
ERR_REFERRAL,
|
|
|
ecf709 |
ERR_SELINUX_CONTEXT,
|
|
|
ecf709 |
+ ERR_SELINUX_NOT_MANAGED,
|
|
|
ecf709 |
ERR_REGEX_NOMATCH,
|
|
|
ecf709 |
ERR_TIMESPEC_NOT_SUPPORTED,
|
|
|
ecf709 |
ERR_INVALID_CONFIG,
|
|
|
ecf709 |
--
|
|
|
ecf709 |
2.9.3
|
|
|
ecf709 |
|