From 39f9584222f5191289a07a40acba0bfc17ae487b Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Thu, 6 Apr 2017 16:03:16 +0200 Subject: [PATCH] Backport few upstrem fixes from master Resolves: upstream#3297 Fix issue with IPA + SELinux in containers Resolves: upstream#3360 Do not leak selinux context on clients destruction (cherry picked from commit 22e5820a7b4f77f95181b678ba7496d140a8d921) --- ...t-leak-selinux-context-on-clients-de.patch | 68 ++++++ ...o-not-fail-if-SELinux-is-not-managed.patch | 210 ++++++++++++++++++ sssd.spec | 10 +- 3 files changed, 287 insertions(+), 1 deletion(-) create mode 100644 0001-responders-do-not-leak-selinux-context-on-clients-de.patch create mode 100644 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch diff --git a/0001-responders-do-not-leak-selinux-context-on-clients-de.patch b/0001-responders-do-not-leak-selinux-context-on-clients-de.patch new file mode 100644 index 0000000..6ed5a36 --- /dev/null +++ b/0001-responders-do-not-leak-selinux-context-on-clients-de.patch @@ -0,0 +1,68 @@ +From 05c2c3047912fca1c1a35ab1c8d3157b05383495 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20B=C5=99ezina?= +Date: Mon, 3 Apr 2017 12:56:01 +0200 +Subject: [PATCH] responders: do not leak selinux context on clients + destruction +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The SELinux context created in get_client_cred is not talloc bound and +we were leaking it if available with each client's destruction. + +Resolves: +https://pagure.io/SSSD/sssd/issue/3360 + +Reviewed-by: Lukáš Slebodník +--- + src/responder/common/responder_common.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c +index 154d7dc7718c437d10e152fcba98161e2034fb14..67e1deefdfde19c95a68029b11099579d851513f 100644 +--- a/src/responder/common/responder_common.c ++++ b/src/responder/common/responder_common.c +@@ -97,7 +97,7 @@ static errno_t get_client_cred(struct cli_ctx *cctx) + SEC_CTX secctx; + int ret; + +- cctx->creds = talloc(cctx, struct cli_creds); ++ cctx->creds = talloc_zero(cctx, struct cli_creds); + if (!cctx->creds) return ENOMEM; + + #ifdef HAVE_UCRED +@@ -464,6 +464,22 @@ static void client_fd_handler(struct tevent_context *ev, + + static errno_t setup_client_idle_timer(struct cli_ctx *cctx); + ++static int cli_ctx_destructor(struct cli_ctx *cctx) ++{ ++ if (cctx->creds == NULL) { ++ return 0; ++ } ++ ++ if (cctx->creds->selinux_ctx == NULL) { ++ return 0; ++ } ++ ++ SELINUX_context_free(cctx->creds->selinux_ctx); ++ cctx->creds->selinux_ctx = NULL; ++ ++ return 0; ++} ++ + struct accept_fd_ctx { + struct resp_ctx *rctx; + bool is_private; +@@ -520,6 +536,8 @@ static void accept_fd_handler(struct tevent_context *ev, + return; + } + ++ talloc_set_destructor(cctx, cli_ctx_destructor); ++ + len = sizeof(cctx->addr); + cctx->cfd = accept(fd, (struct sockaddr *)&cctx->addr, &len); + if (cctx->cfd == -1) { +-- +2.12.2 + diff --git a/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch b/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch new file mode 100644 index 0000000..6b06a28 --- /dev/null +++ b/0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch @@ -0,0 +1,210 @@ +From 78a08d30b5fbf6e1e3b589e0cf67022e0c1faa33 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20=C5=BDidek?= +Date: Wed, 8 Feb 2017 12:01:37 +0100 +Subject: [PATCH] selinux: Do not fail if SELinux is not managed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Previously we failed if semanage_is_managed returned 0 or -1 (not +managed or error). With this patch we only fail in case of error and +continue normally if selinux is not managed by libsemanage at all. + +Resolves: +https://fedorahosted.org/sssd/ticket/3297 + +Reviewed-by: Lukáš Slebodník +--- + Makefile.am | 1 + + src/providers/ipa/selinux_child.c | 9 ++++-- + src/util/sss_semanage.c | 61 +++++++++++++++++++++++++-------------- + src/util/util_errors.c | 1 + + src/util/util_errors.h | 1 + + 5 files changed, 49 insertions(+), 24 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 5264183cd199be464e5e99d2ab31ba4fcd77c5ec..d45c0ff757dfae378c71c6f8850fddce2c61cad8 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -4040,6 +4040,7 @@ selinux_child_SOURCES = \ + src/util/atomic_io.c \ + src/util/util.c \ + src/util/util_ext.c \ ++ src/util/util_errors.c + $(NULL) + selinux_child_CFLAGS = \ + $(AM_CFLAGS) \ +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 380005c7ad3269fc8113c62ceef30b076455b5dd..f8dd3954a7244df2dcbb910aabf8888f41306c09 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -174,14 +174,19 @@ static bool seuser_needs_update(struct input_buffer *ibuf) + + ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range); + DEBUG(SSSDBG_TRACE_INTERNAL, +- "get_seuser: ret: %d seuser: %s mls: %s\n", +- ret, db_seuser ? db_seuser : "unknown", ++ "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n", ++ ret, sss_strerror(ret), ++ db_seuser ? db_seuser : "unknown", + db_mls_range ? db_mls_range : "unknown"); + if (ret == EOK && db_seuser && db_mls_range && + strcmp(db_seuser, ibuf->seuser) == 0 && + strcmp(db_mls_range, ibuf->mls_range) == 0) { + needs_update = false; + } ++ /* OR */ ++ if (ret == ERR_SELINUX_NOT_MANAGED) { ++ needs_update = false; ++ } + + talloc_free(db_seuser); + talloc_free(db_mls_range); +diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c +index fe06bee1dfec3abca3aa3cd5e85e55386ac11343..0da97aad4d8eba733b131c2749932e03ca4242c4 100644 +--- a/src/util/sss_semanage.c ++++ b/src/util/sss_semanage.c +@@ -73,7 +73,7 @@ static void sss_semanage_close(semanage_handle_t *handle) + semanage_handle_destroy(handle); + } + +-static semanage_handle_t *sss_semanage_init(void) ++static int sss_semanage_init(semanage_handle_t **_handle) + { + int ret; + semanage_handle_t *handle = NULL; +@@ -81,7 +81,8 @@ static semanage_handle_t *sss_semanage_init(void) + handle = semanage_handle_create(); + if (!handle) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); +- return NULL; ++ ret = EIO; ++ goto done; + } + + semanage_msg_set_callback(handle, +@@ -89,28 +90,41 @@ static semanage_handle_t *sss_semanage_init(void) + NULL); + + ret = semanage_is_managed(handle); +- if (ret != 1) { +- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); +- goto fail; ++ if (ret == 0) { ++ DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n"); ++ ret = ERR_SELINUX_NOT_MANAGED; ++ goto done; ++ } else if (ret == -1) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n"); ++ ret = EIO; ++ goto done; + } + + ret = semanage_access_check(handle); + if (ret < SEMANAGE_CAN_READ) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); +- goto fail; ++ ret = EACCES; ++ goto done; + } + + ret = semanage_connect(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot estabilish SELinux management connection\n"); +- goto fail; ++ ret = EIO; ++ goto done; + } + +- return handle; +-fail: +- sss_semanage_close(handle); +- return NULL; ++ ret = EOK; ++ ++done: ++ if (ret != EOK) { ++ sss_semanage_close(handle); ++ } else { ++ *_handle = handle; ++ } ++ ++ return ret; + } + + static int sss_semanage_user_add(semanage_handle_t *handle, +@@ -228,10 +242,11 @@ int set_seuser(const char *login_name, const char *seuser_name, + return EOK; + } + +- handle = sss_semanage_init(); +- if (!handle) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); +- ret = EIO; ++ ret = sss_semanage_init(&handle); ++ if (ret == ERR_SELINUX_NOT_MANAGED) { ++ goto done; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); + goto done; + } + +@@ -295,10 +310,11 @@ int del_seuser(const char *login_name) + int ret; + int exists = 0; + +- handle = sss_semanage_init(); +- if (!handle) { +- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); +- ret = EIO; ++ ret = sss_semanage_init(&handle); ++ if (ret == ERR_SELINUX_NOT_MANAGED) { ++ goto done; ++ } else if (ret != EOK) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); + goto done; + } + +@@ -377,10 +393,11 @@ int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, + semanage_seuser_t *sm_user = NULL; + semanage_seuser_key_t *sm_key = NULL; + +- sm_handle = sss_semanage_init(); +- if (sm_handle == NULL) { ++ ret = sss_semanage_init(&sm_handle); ++ if (ret == ERR_SELINUX_NOT_MANAGED) { ++ goto done; ++ } else if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); +- ret = EIO; + goto done; + } + +diff --git a/src/util/util_errors.c b/src/util/util_errors.c +index 466a3b4062f39b29d831a5d8a62dc8d576eb2e97..97eaf160f20bcc8cfe52254070a2d182e19addd4 100644 +--- a/src/util/util_errors.c ++++ b/src/util/util_errors.c +@@ -75,6 +75,7 @@ struct err_string error_to_str[] = { + { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */ + { "LDAP search returned a referral" }, /* ERR_REFERRAL */ + { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */ ++ { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */ + { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */ + { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */ + { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */ +diff --git a/src/util/util_errors.h b/src/util/util_errors.h +index 2f90c0a5d65325a431a8e4d9a480170808c9198e..4a250bf0339ba689680c155fa8e6d43f42c2467e 100644 +--- a/src/util/util_errors.h ++++ b/src/util/util_errors.h +@@ -97,6 +97,7 @@ enum sssd_errors { + ERR_NO_SYSBUS, + ERR_REFERRAL, + ERR_SELINUX_CONTEXT, ++ ERR_SELINUX_NOT_MANAGED, + ERR_REGEX_NOMATCH, + ERR_TIMESPEC_NOT_SUPPORTED, + ERR_INVALID_CONFIG, +-- +2.12.2 + diff --git a/sssd.spec b/sssd.spec index 185e482..88e99ac 100644 --- a/sssd.spec +++ b/sssd.spec @@ -30,7 +30,7 @@ Name: sssd Version: 1.15.2 -Release: 1%{?dist} +Release: 2%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -39,6 +39,9 @@ Source0: https://releases.pagure.org/SSSD/sssd/%{name}-%{version}.tar.gz BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) ### Patches ### +Patch0001: 0001-responders-do-not-leak-selinux-context-on-clients-de.patch +patch0002: 0002-selinux-Do-not-fail-if-SELinux-is-not-managed.patch + Patch0502: 0502-SYSTEMD-Use-capabilities.patch ### Dependencies ### @@ -1154,6 +1157,11 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Thu Apr 06 2017 Lukas Slebodnik - 1.15.2-2 +- Backport few upstrem fixes from master +- Resolves: upstream#3297 Fix issue with IPA + SELinux in containers +- Resolves: upstream#3360 Do not leak selinux context on clients destruction + * Thu Mar 16 2017 Lukas Slebodnik - 1.15.2-1 - New upstream release 1.15.2 - https://docs.pagure.org/SSSD.sssd/users/relnotes/notes_1_15_2.html