rpms / sssd

Clone
Source Code
GIT

Blame 0107-SELINUX-Use-getseuserbyname-to-get-IPA-seuser.patch

el5 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 main rawhide
  1.   bbb90ca68c6fcfbcbdb29d97bd2f20999eee317b
  2.   0107-SELINUX-Use-getseuserbyname-to-get-IPA-seuser.patch
Blob History Raw
bbb90ca 
From cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce Mon Sep 17 00:00:00 2001
bbb90ca 
From: Justin Stephenson <jstephen@redhat.com>
bbb90ca 
Date: Thu, 9 Mar 2017 17:21:37 -0500
bbb90ca 
Subject: [PATCH 107/115] SELINUX: Use getseuserbyname to get IPA seuser
bbb90ca 
MIME-Version: 1.0
bbb90ca 
Content-Type: text/plain; charset=UTF-8
bbb90ca 
Content-Transfer-Encoding: 8bit
bbb90ca
bbb90ca 
The libselinux function getseuserbyname is more reliable method to retrieve
bbb90ca 
SELinux usernames then functions from libsemanage `semanage_user_query`
bbb90ca 
and is recommended by libsemanage developers.
bbb90ca 
Replace get_seuser function with getseuserbyname.
bbb90ca
bbb90ca 
Resolves:
bbb90ca 
https://pagure.io/SSSD/sssd/issue/3308
bbb90ca
bbb90ca 
Reviewed-by: Michal Židek <mzidek@redhat.com>
bbb90ca 
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
bbb90ca 
Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
bbb90ca 
---
bbb90ca 
 Makefile.am                       |  1 +
bbb90ca 
 src/providers/ipa/selinux_child.c | 12 +++----
bbb90ca 
 src/util/sss_semanage.c           | 73 ---------------------------------------
bbb90ca 
 src/util/util.h                   |  2 --
bbb90ca 
 4 files changed, 7 insertions(+), 81 deletions(-)
bbb90ca
bbb90ca 
diff --git a/Makefile.am b/Makefile.am
bbb90ca 
index cb5c405a453cacbe5c2464ea09c0e6353253a789..42d7e4a1751202cb47658c37d38487c558b780af 100644
bbb90ca 
--- a/Makefile.am
bbb90ca 
+++ b/Makefile.am
bbb90ca 
@@ -4107,6 +4107,7 @@ selinux_child_LDADD = \
bbb90ca 
     $(POPT_LIBS) \
bbb90ca 
     $(DHASH_LIBS) \
bbb90ca 
     $(SEMANAGE_LIBS) \
bbb90ca 
+    $(SELINUX_LIBS) \
bbb90ca 
     $(NULL)
bbb90ca 
 endif
bbb90ca
bbb90ca 
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
bbb90ca 
index f8dd3954a7244df2dcbb910aabf8888f41306c09..073475094ee491bd5453898c6ba65214fa14fe59 100644
bbb90ca 
--- a/src/providers/ipa/selinux_child.c
bbb90ca 
+++ b/src/providers/ipa/selinux_child.c
bbb90ca 
@@ -27,6 +27,7 @@
bbb90ca 
 #include <unistd.h>
bbb90ca 
 #include <sys/stat.h>
bbb90ca 
 #include <popt.h>
bbb90ca 
+#include <selinux/selinux.h>
bbb90ca
bbb90ca 
 #include "util/util.h"
bbb90ca 
 #include "util/child_common.h"
bbb90ca 
@@ -172,11 +173,10 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
bbb90ca 
     char *db_mls_range = NULL;
bbb90ca 
     errno_t ret;
bbb90ca
bbb90ca 
-    ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
bbb90ca 
+    ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range);
bbb90ca 
     DEBUG(SSSDBG_TRACE_INTERNAL,
bbb90ca 
-          "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
bbb90ca 
-          ret, sss_strerror(ret),
bbb90ca 
-          db_seuser ? db_seuser : "unknown",
bbb90ca 
+          "getseuserbyname: ret: %d seuser: %s mls: %s\n",
bbb90ca 
+          ret, db_seuser ? db_seuser : "unknown",
bbb90ca 
           db_mls_range ? db_mls_range : "unknown");
bbb90ca 
     if (ret == EOK && db_seuser && db_mls_range &&
bbb90ca 
             strcmp(db_seuser, ibuf->seuser) == 0 &&
bbb90ca 
@@ -188,8 +188,8 @@ static bool seuser_needs_update(struct input_buffer *ibuf)
bbb90ca 
         needs_update = false;
bbb90ca 
     }
bbb90ca
bbb90ca 
-    talloc_free(db_seuser);
bbb90ca 
-    talloc_free(db_mls_range);
bbb90ca 
+    free(db_seuser);
bbb90ca 
+    free(db_mls_range);
bbb90ca 
     return needs_update;
bbb90ca 
 }
bbb90ca
bbb90ca 
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
bbb90ca 
index 0da97aad4d8eba733b131c2749932e03ca4242c4..37278cc986a1ea49dc2218a635d52b9d54ca089d 100644
bbb90ca 
--- a/src/util/sss_semanage.c
bbb90ca 
+++ b/src/util/sss_semanage.c
bbb90ca 
@@ -382,73 +382,6 @@ done:
bbb90ca 
     sss_semanage_close(handle);
bbb90ca 
     return ret;
bbb90ca 
 }
bbb90ca 
-
bbb90ca 
-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
bbb90ca 
-               char **_seuser, char **_mls_range)
bbb90ca 
-{
bbb90ca 
-    errno_t ret;
bbb90ca 
-    const char *seuser;
bbb90ca 
-    const char *mls_range;
bbb90ca 
-    semanage_handle_t *sm_handle = NULL;
bbb90ca 
-    semanage_seuser_t *sm_user = NULL;
bbb90ca 
-    semanage_seuser_key_t *sm_key = NULL;
bbb90ca 
-
bbb90ca 
-    ret = sss_semanage_init(&sm_handle);
bbb90ca 
-    if (ret == ERR_SELINUX_NOT_MANAGED) {
bbb90ca 
-        goto done;
bbb90ca 
-    } else if (ret != EOK) {
bbb90ca 
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
bbb90ca 
-        goto done;
bbb90ca 
-    }
bbb90ca 
-
bbb90ca 
-    ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key);
bbb90ca 
-    if (ret != EOK) {
bbb90ca 
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name);
bbb90ca 
-        ret = EIO;
bbb90ca 
-        goto done;
bbb90ca 
-    }
bbb90ca 
-
bbb90ca 
-    ret = semanage_seuser_query(sm_handle, sm_key, &sm_user);
bbb90ca 
-    if (ret < 0) {
bbb90ca 
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name);
bbb90ca 
-        ret = EIO;
bbb90ca 
-        goto done;
bbb90ca 
-    }
bbb90ca 
-
bbb90ca 
-    seuser = semanage_seuser_get_sename(sm_user);
bbb90ca 
-    if (seuser != NULL) {
bbb90ca 
-        *_seuser = talloc_strdup(mem_ctx, seuser);
bbb90ca 
-        if (*_seuser == NULL) {
bbb90ca 
-            ret = ENOMEM;
bbb90ca 
-            goto done;
bbb90ca 
-        }
bbb90ca 
-        DEBUG(SSSDBG_OP_FAILURE,
bbb90ca 
-              "SELinux user for %s: %s\n", login_name, *_seuser);
bbb90ca 
-    } else {
bbb90ca 
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name);
bbb90ca 
-    }
bbb90ca 
-
bbb90ca 
-    mls_range = semanage_seuser_get_mlsrange(sm_user);
bbb90ca 
-    if (mls_range != NULL) {
bbb90ca 
-        *_mls_range = talloc_strdup(mem_ctx, mls_range);
bbb90ca 
-        if (*_mls_range == NULL) {
bbb90ca 
-            ret = ENOMEM;
bbb90ca 
-            goto done;
bbb90ca 
-        }
bbb90ca 
-        DEBUG(SSSDBG_OP_FAILURE,
bbb90ca 
-              "SELinux range for %s: %s\n", login_name, *_mls_range);
bbb90ca 
-    } else {
bbb90ca 
-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name);
bbb90ca 
-    }
bbb90ca 
-
bbb90ca 
-    ret = EOK;
bbb90ca 
-done:
bbb90ca 
-    semanage_seuser_key_free(sm_key);
bbb90ca 
-    semanage_seuser_free(sm_user);
bbb90ca 
-    sss_semanage_close(sm_handle);
bbb90ca 
-    return ret;
bbb90ca 
-}
bbb90ca 
-
bbb90ca 
 #else /* HAVE_SEMANAGE */
bbb90ca 
 int set_seuser(const char *login_name, const char *seuser_name,
bbb90ca 
                const char *mls)
bbb90ca 
@@ -460,10 +393,4 @@ int del_seuser(const char *login_name)
bbb90ca 
 {
bbb90ca 
     return EOK;
bbb90ca 
 }
bbb90ca 
-
bbb90ca 
-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
bbb90ca 
-               char **_seuser, char **_mls_range)
bbb90ca 
-{
bbb90ca 
-    return EOK;
bbb90ca 
-}
bbb90ca 
 #endif  /* HAVE_SEMANAGE */
bbb90ca 
diff --git a/src/util/util.h b/src/util/util.h
bbb90ca 
index 3d8bfe4795e976294b565c0869e3b842cf318efd..37383011763a9a2a3c2c066215e3ed94aca77308 100644
bbb90ca 
--- a/src/util/util.h
bbb90ca 
+++ b/src/util/util.h
bbb90ca 
@@ -650,8 +650,6 @@ errno_t restore_creds(struct sss_creds *saved_creds);
bbb90ca 
 int set_seuser(const char *login_name, const char *seuser_name,
bbb90ca 
                const char *mlsrange);
bbb90ca 
 int del_seuser(const char *login_name);
bbb90ca 
-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,
bbb90ca 
-               char **_seuser, char **_mls_range);
bbb90ca
bbb90ca 
 /* convert time from generalized form to unix time */
bbb90ca 
 errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);
bbb90ca 
--
bbb90ca 
2.14.1
bbb90ca
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.