URL: https://github.com/SSSD/sssd/pull/645 Author: jhrozek Title: #645: SELINUX: Always add SELinux user to the semanage database if it doesn't exist Action: opened
PR body: """ Previously, we tried to optimize too much and only set the SELinux user to Linux user mapping in case the SELinux user was different from the system default. But this doesn't work for the case where the Linux user has a non-standard home directory, because then SELinux would not have any idea that this user's home directory should be labeled as a home directory. This patch relaxes the optimization in the sense that on the first login, the SELinux context is saved regardless of whether it is the same as the default or different. Resolves: https://pagure.io/SSSD/sssd/issue/3819 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/645/head:pr645 git checkout pr645
From e3e9d544dd80a53cd8dbe4ec0a3e3ca6cc3c9109 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Thu, 23 Aug 2018 13:55:51 +0200 Subject: [PATCH] SELINUX: Always add SELinux user to the semanage database if it doesn't exist Previously, we tried to optimize too much and only set the SELinux user to Linux user mapping in case the SELinux user was different from the system default. But this doesn't work for the case where the Linux user has a non-standard home directory, because then SELinux would not have any idea that this user's home directory should be labeled as a home directory. This patch relaxes the optimization in the sense that on the first login, the SELinux context is saved regardless of whether it is the same as the default or different. Resolves: https://pagure.io/SSSD/sssd/issue/3819 --- src/providers/ipa/selinux_child.c | 10 ++++++++-- src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++ src/util/util.h | 1 + src/util/util_errors.c | 1 + src/util/util_errors.h | 1 + 5 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index d061417a5a..925591ec90 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username, ret = sss_get_seuser(username, &db_seuser, &db_mls_range); DEBUG(SSSDBG_TRACE_INTERNAL, - "getseuserbyname: ret: %d seuser: %s mls: %s\n", + "sss_get_seuser: ret: %d seuser: %s mls: %s\n", ret, db_seuser ? db_seuser : "unknown", db_mls_range ? db_mls_range : "unknown"); if (ret == EOK && db_seuser && db_mls_range && strcmp(db_seuser, seuser) == 0 && strcmp(db_mls_range, mls_range) == 0) { - needs_update = false; + ret = sss_seuser_exists(username); + if (ret == EOK) { + needs_update = false; + } } /* OR */ if (ret == ERR_SELINUX_NOT_MANAGED) { @@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username, free(db_seuser); free(db_mls_range); + DEBUG(SSSDBG_TRACE_FUNC, + "The SELinux user does %sneed an update\n", + needs_update ? "" : "not "); return needs_update; } diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c index bcce57b603..158c3d1781 100644 --- a/src/util/sss_semanage.c +++ b/src/util/sss_semanage.c @@ -248,6 +248,36 @@ static int sss_semanage_user_mod(semanage_handle_t *handle, return ret; } +int sss_seuser_exists(const char *linuxuser) +{ + int ret; + int exists; + semanage_seuser_key_t *sm_key = NULL; + semanage_handle_t *sm_handle; + + ret = sss_semanage_init(&sm_handle); + if (ret < 0) { + return EIO; + } + + ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key); + if (ret < 0) { + sss_semanage_close(sm_handle); + return EIO; + } + + ret = semanage_seuser_exists(sm_handle, sm_key, &exists); + semanage_seuser_key_free(sm_key); + sss_semanage_close(sm_handle); + if (ret < 0) { + return EIO; + } + + DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no"); + + return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND; +} + int sss_get_seuser(const char *linuxuser, char **selinuxuser, char **level) diff --git a/src/util/util.h b/src/util/util.h index 867acf26ff..59e7a96ba5 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name); int sss_get_seuser(const char *linuxuser, char **selinuxuser, char **level); +int sss_seuser_exists(const char *linuxuser); /* convert time from generalized form to unix time */ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time); diff --git a/src/util/util_errors.c b/src/util/util_errors.c index 920a178615..5f8a2a29ab 100644 --- a/src/util/util_errors.c +++ b/src/util/util_errors.c @@ -75,6 +75,7 @@ struct err_string error_to_str[] = { { "LDAP search returned a referral" }, /* ERR_REFERRAL */ { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */ + { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */ { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */ diff --git a/src/util/util_errors.h b/src/util/util_errors.h index 5a50936261..c6731d4f99 100644 --- a/src/util/util_errors.h +++ b/src/util/util_errors.h @@ -97,6 +97,7 @@ enum sssd_errors { ERR_REFERRAL, ERR_SELINUX_CONTEXT, ERR_SELINUX_NOT_MANAGED, + ERR_SELINUX_USER_NOT_FOUND, ERR_REGEX_NOMATCH, ERR_TIMESPEC_NOT_SUPPORTED, ERR_INVALID_CONFIG,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org
