From a77f0b5c39b1f6c497b2b5c6c072d2f4f6e7a745 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Mon, 26 Jan 2015 15:15:29 +0100 Subject: [PATCH 182/183] SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://fedorahosted.org/sssd/ticket/2564 libselinux uses many access(2) calls and access() uses the real UID, not the effective UID for the check. Therefore, the setuid selinux_child, which only has effective UID of root would fail the check. Reviewed-by: Michal Židek (cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a) --- src/providers/ipa/selinux_child.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index a38ffcb26f890349f47478063103e603fe6304cf..bda89c847dc160e1d667d333ee515cf7260e7db8 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -197,7 +197,23 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n"); DEBUG(SSSDBG_TRACE_INTERNAL, - "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid()); + "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n", + geteuid(), getegid()); + + /* libsemanage calls access(2) which works with real IDs, not effective. + * We need to switch also the real ID to 0. + */ + if (getuid() != 0) { + setuid(0); + } + + if (getgid() != 0) { + setgid(0); + } + + DEBUG(SSSDBG_TRACE_INTERNAL, + "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n", + getuid(), getgid()); main_ctx = talloc_new(NULL); if (main_ctx == NULL) { -- 2.1.0