[SSSD] [sssd PR#577][synchronized] ipa: Use fqname on selinux_child_setup

[fidencio]

   URL: https://github.com/SSSD/sssd/pull/577
Author: fidencio
 Title: #577: ipa: Use fqname on selinux_child_setup
Action: synchronized

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/577/head:pr577
git checkout pr577

From 221d87bbb2a3eb916342a34e86bb61e29d3cac6e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fiden...@redhat.com>
Date: Mon, 28 May 2018 15:31:19 +0200
Subject: [PATCH] selinux_child: workaround fqnames when using DRO
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When using domain_resolution_order the username will always be
fully-qualified, what has been causing some SELinux issues as mappings
for user 'admin' are not applied for 'admin@ipa.example'.

In order to work this around we can take advantage that selinux_child
queries SSSD since commit 92addd7ba and call getpwnam() in order to get
the username in the correct format.

seuser_needs_update() signature has been updated due to this change.

Resolves:
https://pagure.io/SSSD/sssd/issue/3740

Signed-off-by: Fabiano Fidêncio <fiden...@redhat.com>
---
 src/providers/ipa/selinux_child.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 8177c65e7..142310aae 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -165,21 +165,23 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
     return ret;
 }
 
-static bool seuser_needs_update(struct input_buffer *ibuf)
+static bool seuser_needs_update(const char *username,
+                                const char *seuser,
+                                const char *mls_range)
 {
     bool needs_update = true;
     char *db_seuser = NULL;
     char *db_mls_range = NULL;
     errno_t ret;
 
-    ret = sss_get_seuser(ibuf->username, &db_seuser, &db_mls_range);
+    ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
     DEBUG(SSSDBG_TRACE_INTERNAL,
           "getseuserbyname: ret: %d seuser: %s mls: %s\n",
           ret, db_seuser ? db_seuser : "unknown",
           db_mls_range ? db_mls_range : "unknown");
     if (ret == EOK && db_seuser && db_mls_range &&
-            strcmp(db_seuser, ibuf->seuser) == 0 &&
-            strcmp(db_mls_range, ibuf->mls_range) == 0) {
+            strcmp(db_seuser, seuser) == 0 &&
+            strcmp(db_mls_range, mls_range) == 0) {
         needs_update = false;
     }
     /* OR */
@@ -203,8 +205,10 @@ int main(int argc, const char *argv[])
     ssize_t len = 0;
     struct input_buffer *ibuf = NULL;
     struct response *resp = NULL;
+    struct passwd *passwd = NULL;
     ssize_t written;
     bool needs_update;
+    const char *username;
     const char *opt_logger = NULL;
 
     struct poptOption long_options[] = {
@@ -345,9 +349,20 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n");
 
-    needs_update = seuser_needs_update(ibuf);
+    /* When using domain_resolution_order the username will always be
+     * fully-qualified, what has been causing some SELinux issues as mappings
+     * for user 'admin' are not applied for 'admin@ipa.example'.
+     *
+     * In order to work this around we can take advantage that selinux_child
+     * queries SSSD since commit 92addd7ba and call getpwnam() in order to get
+     * the username in the correct format. */
+    passwd = getpwnam(ibuf->username);
+    username = passwd != NULL ? passwd->pw_name : ibuf->username;
+
+    needs_update = seuser_needs_update(username, ibuf->seuser,
+                                       ibuf->mls_range);
     if (needs_update == true) {
-        ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
+        ret = sc_set_seuser(username, ibuf->seuser, ibuf->mls_range);
         if (ret != EOK) {
             DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n");
             goto fail;

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-devel@lists.fedorahosted.org/message/XYCON2H7UJW4VL6JZ5PFTBYFRLNQX2HP/