From 1a04637d4c07762c44889963eb25a405d24397cf Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 12 Mar 2015 16:31:13 +0100
Subject: [PATCH 193/193] selinux: Handle setup with empty default and no
 configured rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.

Related to:
https://fedorahosted.org/sssd/ticket/2587

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
(cherry picked from commit 4b6ee69fb1f713aae125b0fc2d345846e7a0d642)
---
 src/providers/ipa/ipa_selinux.c   |  4 ++--
 src/providers/ipa/selinux_child.c | 10 ++++++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 0716536cdb3b34d386ed1a31e6a239a09173b25b..899dd07105a98faac9430211404499911434f6d6 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
 {
     errno_t ret;
     char *seuser;
-    char *mls_range;
+    const char *mls_range;
     char *ptr;
     char *username;
     char *username_final;
@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     }
     if (*ptr == '\0') {
         /* No mls_range specified */
-        mls_range = NULL;
+        mls_range = "";
     } else {
         *ptr = '\0'; /* split */
         mls_range = ptr + 1;
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 2f79dea109752de09af1105495e1ca8db1e80680..abcb93b1a76783fd048ddebc976830ac42e1f757 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
     if (len == 0) {
-        return EINVAL;
+        ibuf->seuser = "";
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "Empty SELinux user, will delete the mapping\n");
     } else {
         if ((p + len ) > size) return EINVAL;
         ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
     if (len == 0) {
-        return EINVAL;
+        if (strcmp(ibuf->seuser, "") != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
+            return EINVAL;
+        }
     } else {
         if ((p + len ) > size) return EINVAL;
         ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
     if (len == 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
         return EINVAL;
     } else {
         if ((p + len ) > size) return EINVAL;
-- 
2.1.0