[sssd] Fix regressions with ipa and SELinux
Lukas Slebodnik
lslebodn at fedoraproject.org
Mon Mar 23 16:18:25 UTC 2015
commit 36805df39726ce2af08a99d7a9a8b596b748b0c6
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date: Mon Mar 23 17:17:30 2015 +0100
Fix regressions with ipa and SELinux
- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
context on client is staff_u
...ete-existing-user-mapping-on-empty-defaul.patch | 81 +++++++++++++++++++++
...dle-setup-with-empty-default-and-no-confi.patch | 82 ++++++++++++++++++++++
sssd.spec | 9 ++-
3 files changed, 171 insertions(+), 1 deletion(-)
---
diff --git a/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch b/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
new file mode 100644
index 0000000..b1eb32e
--- /dev/null
+++ b/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
@@ -0,0 +1,81 @@
+From e991859590d4b598193f192674fca0ded1914bae Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Fri, 13 Feb 2015 17:57:35 +0100
+Subject: [PATCH 16/17] selinux: Delete existing user mapping on empty default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://fedorahosted.org/sssd/ticket/2587
+
+The case of SELinux default user mapping being an empty string is valid,
+it should translate into "pick the default context on the target
+machine".
+
+In case the context is empty, we need to delete the per-user mapping from
+the SELinux database to make sure the default is used.
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+Reviewed-by: Pavel Reichl <preichl at redhat.com>
+(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
+---
+ src/providers/ipa/ipa_selinux.c | 14 ++++++++------
+ src/providers/ipa/selinux_child.c | 10 +++++++++-
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index f7e17c97f0bf8d6c64eb045c3bc954da8eb3d568..00c793a2643b51e59884730fa4f0ba3c7ed1bea6 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
+
+ /* If no maps match, we'll use the default SELinux user from the
+ * config */
+- seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
++ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
+ if (seuser_mls_str == NULL) {
+ ret = ENOMEM;
+ goto done;
+@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
+ return ENOMEM;
+ }
+
+- ret = sysdb_attrs_add_string(state->defaults,
+- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
+- default_user);
+- if (ret != EOK) {
+- return ret;
++ if (default_user) {
++ ret = sysdb_attrs_add_string(state->defaults,
++ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
++ default_user);
++ if (ret != EOK) {
++ return ret;
++ }
+ }
+
+ ret = sysdb_attrs_add_string(state->defaults,
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644
+--- a/src/providers/ipa/selinux_child.c
++++ b/src/providers/ipa/selinux_child.c
+@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
+ * the directories are created with the expected permissions
+ */
+ old_mask = umask(0);
+- ret = set_seuser(login_name, seuser_name, mls);
++ if (strcmp(seuser_name, "") == 0) {
++ /* An empty SELinux user should cause SSSD to use the system
++ * default. We need to remove the SELinux user from the DB
++ * in that case
++ */
++ ret = del_seuser(login_name);
++ } else {
++ ret = set_seuser(login_name, seuser_name, mls);
++ }
+ umask(old_mask);
+ return ret;
+ }
+--
+2.3.3
+
diff --git a/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch b/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
new file mode 100644
index 0000000..28c1443
--- /dev/null
+++ b/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
@@ -0,0 +1,82 @@
+From 4c047cc4720227ca7ad80f02546493ba6e0199ef Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek at redhat.com>
+Date: Thu, 12 Mar 2015 16:31:13 +0100
+Subject: [PATCH 17/17] selinux: Handle setup with empty default and no
+ configured rules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+SSSD also needs to handle the setup where no rules match the machine and
+the default has no MLS component.
+
+Related to:
+https://fedorahosted.org/sssd/ticket/2587
+
+Reviewed-by: Michal Židek <mzidek at redhat.com>
+(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
+---
+ src/providers/ipa/ipa_selinux.c | 4 ++--
+ src/providers/ipa/selinux_child.c | 10 ++++++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index 00c793a2643b51e59884730fa4f0ba3c7ed1bea6..cdb0dfa388eb3743e0b937befd63cf05ae94b71e 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
+ {
+ errno_t ret;
+ char *seuser;
+- char *mls_range;
++ const char *mls_range;
+ char *ptr;
+ char *username;
+ char *username_final;
+@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
+ }
+ if (*ptr == '\0') {
+ /* No mls_range specified */
+- mls_range = NULL;
++ mls_range = "";
+ } else {
+ *ptr = '\0'; /* split */
+ mls_range = ptr + 1;
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644
+--- a/src/providers/ipa/selinux_child.c
++++ b/src/providers/ipa/selinux_child.c
+@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
+ SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+ DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
+ if (len == 0) {
+- return EINVAL;
++ ibuf->seuser = "";
++ DEBUG(SSSDBG_TRACE_INTERNAL,
++ "Empty SELinux user, will delete the mapping\n");
+ } else {
+ if ((p + len ) > size) return EINVAL;
+ ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
+@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
+ SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+ DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
+ if (len == 0) {
+- return EINVAL;
++ if (strcmp(ibuf->seuser, "") != 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
++ return EINVAL;
++ }
+ } else {
+ if ((p + len ) > size) return EINVAL;
+ ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
+@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
+ SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+ DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
+ if (len == 0) {
++ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
+ return EINVAL;
+ } else {
+ if ((p + len ) > size) return EINVAL;
+--
+2.3.3
+
diff --git a/sssd.spec b/sssd.spec
index 7f959cc..4e2b17e 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -27,7 +27,7 @@
Name: sssd
Version: 1.12.4
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@@ -51,6 +51,8 @@ Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
+Patch0016: 0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
+Patch0017: 0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
### Dependencies ###
Requires: sssd-common = %{version}-%{release}
@@ -1019,6 +1021,11 @@ if [ $1 -eq 0 ]; then
fi
%changelog
+* Mon Mar 23 2015 Lukas Slebodnik <lslebodn at redhat.com> - 1.12.4-5
+- Fix regressions with ipa and SELinux
+- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
+ context on client is staff_u
+
* Fri Mar 6 2015 Jakub Hrozek <jhrozek at redhat.com> - 1.12.4-4
- Also relax libldb Requires
- Remove --enable-ldb-version-check
More information about the scm-commits
mailing list