From 663fdd3897c5da1a54fcb51613bd71660ef9b19a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 20 Jun 2018 22:02:57 +0200 Subject: [PATCH] SELINUX: Also call is_selinux_enabled as a check for selinux child MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Resolves: https://pagure.io/SSSD/sssd/issue/3796 The SSSD selinux management routines were only checking if SELinux is managed on the system. If it is managed, the code tries to proceed and set the login context, otherwise an error is returned which SSSD handles gracefully. But this is not enough, in some cases SELinux might be disabled, but managed and in these cases SSSD was returning strange errors, which might have prevented login with selinux provider in effect. We got this hint form the RH SELinux maintainer: """ libsemanage is for managing SELinux infrastructure. generally if there's /etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux module store - /etc/selinux//active (or /var/lib/selinux//active) - is available, libsemanage can manage it even when SELinux is disabled. I'm not sure if selinux_child doesn any is_selinux_enabled() checks but it could help to avoid such situations. """ Reviewed-by: Fabiano FidĂȘncio (cherry picked from commit 1e81d040c75b2b15cab48fb7df1041138747e6c3) DOWNSTREAM: Resolves: rhbz#1583360 - The IPA selinux provider can return an error if SELinux is completely disabled --- src/util/sss_semanage.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c index 7b0eef22330db8df6ab8f46da5fb76c68f6adabc..bcce57b603bd1c4d5c6465dbb5cc7a3fbe72412d 100644 --- a/src/util/sss_semanage.c +++ b/src/util/sss_semanage.c @@ -82,6 +82,10 @@ static int sss_is_selinux_managed(semanage_handle_t *handle) return EINVAL; } + if (!is_selinux_enabled()) { + return ERR_SELINUX_NOT_MANAGED; + } + ret = semanage_is_managed(handle); if (ret == 0) { DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n"); -- 2.17.1