sssd/0010-SELINUX-Always-add-SELinux-user-to-the-semanage-data.patch
Michal Židek c0971b7e39 Backport a bunch of upstream fixes
- Resolves: upstream#3821 - crash related to sbus_router_destructor()
- Resolves: upstream#3810 - sbus2: fix memory leak in sbus_message_bound_ref
- Resolves: upstream#3819 - sssd only sets the SELinux login context if it
                            differs from the default
- Resolves: upstream#3807 - The sbus codegen script relies on "python" which
                            might not be available on all distributions
- Resolves: upstream#3820 - sudo: search with lower cased name for case
                            insensitive domains
- Resolves: upstream#3701 - [RFE] Allow changing default behavior of SSSD from
                            an allow-any default to a deny-any default when it
                            can't find any GPOs to apply to a user login.
- Resolves: upstream#3828 - Invalid domain provider causes SSSD to abort
                            startup
- Resolves: upstream#3500 - Make sure sssd is a replacement for pam_pkcs11
                            also for local account authentication
- Resolves: upstream#3812 - sssd 2.0.0 segfaults on startup
- Resolves: upstream#3826 - Remove references of sss_user/group/add/del
                            commands in man pages since local provider is
                            deprecated
- Resolves: upstream#3827 - SSSD should log to syslog if a domain is not
                            started due to a misconfiguration
- Resolves: upstream#3830 - Printing incorrect information about domain with
                            sssctl utility
- Resolves: upstream#3489 - p11_child should work wit openssl1.0+
- Resolves: upstream#3750 - [RFE] man 5 sssd-files should mention necessary
                            changes in nsswitch.conf
- Resovles: upstream#3650 - RFE: Require smartcard authentication
- Resolves: upstream#3334 - sssctl config-check does not check any special
                            characters in domain name of domain section
- Resolves: upstream#3849 - Files: The files provider always enumerates
                            which causes duplicate when running getent passwd
- Related: upstream#3855 - session not recording for local user when groups
                           defined
- Resolves: upstream#3802 - Reuse sysdb_error_to_errno() outside sysdb
- Related: upstream#3493 - Remove the pysss.local interface
2018-10-24 14:40:58 +02:00

146 lines
5.1 KiB
Diff

From 945865ae16120ffade267227ca48cefd58822fd2 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 23 Aug 2018 13:55:51 +0200
Subject: [PATCH 13/83] SELINUX: Always add SELinux user to the semanage
database if it doesn't exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.
This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.
Resolves:
https://pagure.io/SSSD/sssd/issue/3819
Reviewed-by: Michal Židek <mzidek@redhat.com>
---
src/providers/ipa/selinux_child.c | 10 ++++++++--
src/util/sss_semanage.c | 30 ++++++++++++++++++++++++++++++
src/util/util.h | 1 +
src/util/util_errors.c | 1 +
src/util/util_errors.h | 1 +
5 files changed, 41 insertions(+), 2 deletions(-)
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index d061417..925591e 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
DEBUG(SSSDBG_TRACE_INTERNAL,
- "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+ "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
ret, db_seuser ? db_seuser : "unknown",
db_mls_range ? db_mls_range : "unknown");
if (ret == EOK && db_seuser && db_mls_range &&
strcmp(db_seuser, seuser) == 0 &&
strcmp(db_mls_range, mls_range) == 0) {
- needs_update = false;
+ ret = sss_seuser_exists(username);
+ if (ret == EOK) {
+ needs_update = false;
+ }
}
/* OR */
if (ret == ERR_SELINUX_NOT_MANAGED) {
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
free(db_seuser);
free(db_mls_range);
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "The SELinux user does %sneed an update\n",
+ needs_update ? "" : "not ");
return needs_update;
}
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
index bcce57b..aea0385 100644
--- a/src/util/sss_semanage.c
+++ b/src/util/sss_semanage.c
@@ -248,6 +248,36 @@ done:
return ret;
}
+int sss_seuser_exists(const char *linuxuser)
+{
+ int ret;
+ int exists;
+ semanage_seuser_key_t *sm_key = NULL;
+ semanage_handle_t *sm_handle = NULL;
+
+ ret = sss_semanage_init(&sm_handle);
+ if (ret != EOK) {
+ return ret;
+ }
+
+ ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
+ if (ret < 0) {
+ sss_semanage_close(sm_handle);
+ return EIO;
+ }
+
+ ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
+ semanage_seuser_key_free(sm_key);
+ sss_semanage_close(sm_handle);
+ if (ret < 0) {
+ return EIO;
+ }
+
+ DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
+
+ return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
+}
+
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level)
diff --git a/src/util/util.h b/src/util/util.h
index 867acf2..59e7a96 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
int sss_get_seuser(const char *linuxuser,
char **selinuxuser,
char **level);
+int sss_seuser_exists(const char *linuxuser);
/* convert time from generalized form to unix time */
errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 920a178..5f8a2a2 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
{ "LDAP search returned a referral" }, /* ERR_REFERRAL */
{ "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
{ "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
+ { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
{ "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
{ "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
{ "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index 5a50936..c6731d4 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -97,6 +97,7 @@ enum sssd_errors {
ERR_REFERRAL,
ERR_SELINUX_CONTEXT,
ERR_SELINUX_NOT_MANAGED,
+ ERR_SELINUX_USER_NOT_FOUND,
ERR_REGEX_NOMATCH,
ERR_TIMESPEC_NOT_SUPPORTED,
ERR_INVALID_CONFIG,
--
2.9.5