diff options
| author | Michal Zidek <mzidek@redhat.com> | 2014-09-24 15:50:04 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-20 21:26:19 +0200 |
| commit | 42ec8af02ecf1937e4db9b1ecc6216022634f0f9 (patch) | |
| tree | 82d811f4df92407bf054a60631d6e43eb5b3b0e8 | |
| parent | ac13f3d51d3d02e7b1a6d73b46b68823aaac1a56 (diff) | |
| download | sssd-42ec8af02ecf1937e4db9b1ecc6216022634f0f9.tar.gz sssd-42ec8af02ecf1937e4db9b1ecc6216022634f0f9.tar.xz sssd-42ec8af02ecf1937e4db9b1ecc6216022634f0f9.zip | |
util: Move semanage related functions to src/util
These functions will be reused by IPA provider.
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | Makefile.am | 37 | ||||
| -rw-r--r-- | src/tests/dlopen-tests.c | 1 | ||||
| -rw-r--r-- | src/tools/selinux.c | 334 | ||||
| -rw-r--r-- | src/tools/tools_util.h | 2 | ||||
| -rw-r--r-- | src/util/sss_semanage.c | 360 | ||||
| -rw-r--r-- | src/util/util.h | 4 |
6 files changed, 393 insertions, 345 deletions
diff --git a/Makefile.am b/Makefile.am index 6a8124b5a..49acdb107 100644 --- a/Makefile.am +++ b/Makefile.am @@ -476,10 +476,6 @@ if BUILD_SELINUX PYTHON_BINDINGS_LIBS += $(SELINUX_LIBS) TOOLS_LIBS += $(SELINUX_LIBS) endif -if BUILD_SEMANAGE - PYTHON_BINDINGS_LIBS += $(SEMANAGE_LIBS) - TOOLS_LIBS += $(SEMANAGE_LIBS) -endif dist_noinst_HEADERS = \ src/monitor/monitor.h \ @@ -728,11 +724,26 @@ libsss_util_la_SOURCES += \ endif libsss_util_la_LDFLAGS = -avoid-version +pkglib_LTLIBRARIES += libsss_semanage.la +libsss_semanage_la_SOURCES = \ + src/util/sss_semanage.c \ + $(NULL) +libsss_semanage_la_LIBADD = \ + libsss_debug.la \ + $(NULL) +if BUILD_SEMANAGE +libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS) +endif + +libsss_semanage_la_LDFLAGS = \ + -avoid-version + SSSD_INTERNAL_LTLIBS = \ libsss_util.la \ libsss_crypt.la \ libsss_debug.la \ - libsss_child.la + libsss_child.la \ + $(NULL) if BUILD_IFP if BUILD_CONFIG_LIB @@ -1065,7 +1076,9 @@ sss_useradd_SOURCES = \ $(SSSD_TOOLS_OBJ) sss_useradd_LDADD = \ $(TOOLS_LIBS) \ - $(SSSD_INTERNAL_LTLIBS) + $(SSSD_INTERNAL_LTLIBS) \ + libsss_semanage.la \ + $(NULL) sss_userdel_SOURCES = \ src/tools/sss_userdel.c \ @@ -1073,7 +1086,9 @@ sss_userdel_SOURCES = \ sss_userdel_LDADD = \ $(TOOLS_LIBS) \ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) sss_userdel_CFLAGS = \ $(AM_CFLAGS) @@ -1099,7 +1114,9 @@ sss_usermod_SOURCES = \ sss_usermod_LDADD = \ $(TOOLS_LIBS) \ $(SSSD_INTERNAL_LTLIBS) \ - $(CLIENT_LIBS) + $(CLIENT_LIBS) \ + libsss_semanage.la \ + $(NULL) sss_usermod_CFLAGS = $(AM_CFLAGS) sss_groupmod_SOURCES = \ @@ -2372,7 +2389,9 @@ libsss_ipa_la_LIBADD = \ libsss_ldap_common.la \ libsss_krb5_common.la \ libipa_hbac.la \ - libsss_idmap.la + libsss_idmap.la \ + libsss_semanage.la \ + $(NULL) libsss_ipa_la_LDFLAGS = \ -avoid-version \ -module diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c index 1dd80c49c..7e56d6524 100644 --- a/src/tests/dlopen-tests.c +++ b/src/tests/dlopen-tests.c @@ -38,6 +38,7 @@ struct so { const char *libs[6]; } so[] = { { "libsss_debug.so", { LIBPFX"libsss_debug.so", NULL } }, + { "libsss_semanage.so", { LIBPFX"libsss_semanage.so", NULL } }, { "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } }, { "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } }, { "libsss_nss_idmap.so", { LIBPFX"libsss_nss_idmap.so", NULL } }, diff --git a/src/tools/selinux.c b/src/tools/selinux.c index 1f87d40f9..5e9c458f9 100644 --- a/src/tools/selinux.c +++ b/src/tools/selinux.c @@ -27,16 +27,8 @@ #include <selinux/selinux.h> #endif -#ifdef HAVE_SEMANAGE -#include <semanage/semanage.h> -#endif - #include "tools/tools_util.h" -#ifndef DEFAULT_SERANGE -#define DEFAULT_SERANGE "s0" -#endif - #ifdef HAVE_SELINUX /* * selinux_file_context - Set the security context before any file or @@ -89,329 +81,3 @@ int reset_selinux_file_context(void) return EOK; } #endif /* HAVE_SELINUX */ - -#ifdef HAVE_SEMANAGE -/* turn libselinux messages into SSSD DEBUG() calls */ -static void sss_semanage_error_callback(void *varg, - semanage_handle_t *handle, - const char *fmt, ...) -{ - int level = SSSDBG_INVALID; - int ret; - char * message = NULL; - va_list ap; - - switch (semanage_msg_get_level(handle)) { - case SEMANAGE_MSG_ERR: - level = SSSDBG_CRIT_FAILURE; - break; - case SEMANAGE_MSG_WARN: - level = SSSDBG_MINOR_FAILURE; - break; - case SEMANAGE_MSG_INFO: - level = SSSDBG_TRACE_FUNC; - break; - } - - va_start(ap, fmt); - ret = vasprintf(&message, fmt, ap); - va_end(ap); - if (ret < 0) { - /* ENOMEM */ - return; - } - - if (DEBUG_IS_SET(level)) - debug_fn(__FILE__, __LINE__, "libsemanage", level, "%s\n", message); - free(message); -} - -static semanage_handle_t *sss_semanage_init(void) -{ - int ret; - semanage_handle_t *handle = NULL; - - handle = semanage_handle_create(); - if (!handle) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); - return NULL; - } - - semanage_msg_set_callback(handle, - sss_semanage_error_callback, - NULL); - - ret = semanage_is_managed(handle); - if (ret != 1) { - DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); - goto fail; - } - - ret = semanage_access_check(handle); - if (ret < SEMANAGE_CAN_READ) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); - goto fail; - } - - ret = semanage_connect(handle); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot estabilish SELinux management connection\n"); - goto fail; - } - - ret = semanage_begin_transaction(handle); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); - goto fail; - } - - return handle; -fail: - semanage_handle_destroy(handle); - return NULL; -} - -static int sss_semanage_user_add(semanage_handle_t *handle, - semanage_seuser_key_t *key, - const char *login_name, - const char *seuser_name) -{ - int ret; - semanage_seuser_t *seuser = NULL; - - ret = semanage_seuser_create(handle, &seuser); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Cannot create SELinux login mapping for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_set_name(handle, seuser, login_name); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not set serange for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_set_sename(handle, seuser, seuser_name); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not set SELinux user for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_modify_local(handle, key, seuser); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not add login mapping for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = EOK; -done: - semanage_seuser_free(seuser); - return ret; -} - -static int sss_semanage_user_mod(semanage_handle_t *handle, - semanage_seuser_key_t *key, - const char *login_name, - const char *seuser_name) -{ - int ret; - semanage_seuser_t *seuser = NULL; - - semanage_seuser_query(handle, key, &seuser); - if (seuser == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not query seuser for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not set serange for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_set_sename(handle, seuser, seuser_name); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_modify_local(handle, key, seuser); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - ("Could not modify login mapping for %s\n"), login_name); - ret = EIO; - goto done; - } - - ret = EOK; -done: - semanage_seuser_free(seuser); - return ret; -} - -int set_seuser(const char *login_name, const char *seuser_name) -{ - semanage_handle_t *handle = NULL; - semanage_seuser_key_t *key = NULL; - int ret; - int seuser_exists = 0; - - if (seuser_name == NULL) { - /* don't care, just let system pick the defaults */ - return EOK; - } - - handle = sss_semanage_init(); - if (!handle) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); - ret = EIO; - goto done; - } - - ret = semanage_seuser_key_create(handle, login_name, &key); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); - ret = EIO; - goto done; - } - - ret = semanage_seuser_exists(handle, key, &seuser_exists); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); - ret = EIO; - goto done; - } - - if (seuser_exists) { - ret = sss_semanage_user_mod(handle, key, login_name, seuser_name); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n"); - ret = EIO; - goto done; - } - } else { - ret = sss_semanage_user_add(handle, key, login_name, seuser_name); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n"); - ret = EIO; - goto done; - } - } - - ret = semanage_commit(handle); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); - ret = EIO; - goto done; - } - - ret = EOK; -done: - semanage_seuser_key_free(key); - semanage_handle_destroy(handle); - return ret; -} - -int del_seuser(const char *login_name) -{ - semanage_handle_t *handle = NULL; - semanage_seuser_key_t *key = NULL; - int ret; - int exists = 0; - - handle = sss_semanage_init(); - if (!handle) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); - ret = EIO; - goto done; - } - - ret = semanage_seuser_key_create(handle, login_name, &key); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); - ret = EIO; - goto done; - } - - ret = semanage_seuser_exists(handle, key, &exists); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); - ret = EIO; - goto done; - } - - if (!exists) { - DEBUG(SSSDBG_FUNC_DATA, - "Login mapping for %s is not defined, OK if default mapping " - "was used\n", login_name); - ret = EOK; /* probably default mapping */ - goto done; - } - - ret = semanage_seuser_exists_local(handle, key, &exists); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); - ret = EIO; - goto done; - } - - if (!exists) { - DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, " - "cannot be deleted", login_name); - ret = ENOENT; - goto done; - } - - ret = semanage_seuser_del_local(handle, key); - if (ret != 0) { - DEBUG(SSSDBG_CRIT_FAILURE, - "Could not delete login mapping for %s", login_name); - ret = EIO; - goto done; - } - - ret = semanage_commit(handle); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); - ret = EIO; - goto done; - } - - ret = EOK; -done: - semanage_handle_destroy(handle); - return ret; -} - -#else /* HAVE_SEMANAGE */ -int set_seuser(const char *login_name, const char *seuser_name) -{ - return EOK; -} - -int del_seuser(const char *login_name) -{ - return EOK; -} -#endif /* HAVE_SEMANAGE */ diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h index 87fe752ea..c5990b012 100644 --- a/src/tools/tools_util.h +++ b/src/tools/tools_util.h @@ -123,7 +123,5 @@ int copy_tree(const char *src_root, const char *dst_root, /* from selinux.c */ int selinux_file_context(const char *dst_name); int reset_selinux_file_context(void); -int set_seuser(const char *login_name, const char *seuser_name); -int del_seuser(const char *login_name); #endif /* __TOOLS_UTIL_H__ */ diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c new file mode 100644 index 000000000..dbef3b343 --- /dev/null +++ b/src/util/sss_semanage.c @@ -0,0 +1,360 @@ +/* + SSSD + + sss_semanage.c + + Copyright (C) Jakub Hrozek <jhrozek@redhat.com> 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "config.h" + +#include <stdio.h> + +#ifdef HAVE_SEMANAGE +#include <semanage/semanage.h> +#endif + +#include "util/util.h" + +#ifndef DEFAULT_SERANGE +#define DEFAULT_SERANGE "s0" +#endif + +#ifdef HAVE_SEMANAGE +/* turn libselinux messages into SSSD DEBUG() calls */ +static void sss_semanage_error_callback(void *varg, + semanage_handle_t *handle, + const char *fmt, ...) +{ + int level = SSSDBG_INVALID; + int ret; + char * message = NULL; + va_list ap; + + switch (semanage_msg_get_level(handle)) { + case SEMANAGE_MSG_ERR: + level = SSSDBG_CRIT_FAILURE; + break; + case SEMANAGE_MSG_WARN: + level = SSSDBG_MINOR_FAILURE; + break; + case SEMANAGE_MSG_INFO: + level = SSSDBG_TRACE_FUNC; + break; + } + + va_start(ap, fmt); + ret = vasprintf(&message, fmt, ap); + va_end(ap); + if (ret < 0) { + /* ENOMEM */ + return; + } + + if (DEBUG_IS_SET(level)) + debug_fn(__FILE__, __LINE__, "libsemanage", level, "%s\n", message); + free(message); +} + +static semanage_handle_t *sss_semanage_init(void) +{ + int ret; + semanage_handle_t *handle = NULL; + + handle = semanage_handle_create(); + if (!handle) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n"); + return NULL; + } + + semanage_msg_set_callback(handle, + sss_semanage_error_callback, + NULL); + + ret = semanage_is_managed(handle); + if (ret != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n"); + goto fail; + } + + ret = semanage_access_check(handle); + if (ret < SEMANAGE_CAN_READ) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n"); + goto fail; + } + + ret = semanage_connect(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot estabilish SELinux management connection\n"); + goto fail; + } + + ret = semanage_begin_transaction(handle); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n"); + goto fail; + } + + return handle; +fail: + semanage_handle_destroy(handle); + return NULL; +} + +static int sss_semanage_user_add(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + ret = semanage_seuser_create(handle, &seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot create SELinux login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_name(handle, seuser, login_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set serange for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set SELinux user for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not add login mapping for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_seuser_free(seuser); + return ret; +} + +static int sss_semanage_user_mod(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + semanage_seuser_query(handle, key, &seuser); + if (seuser == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not query seuser for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not set serange for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Could not modify login mapping for %s\n"), login_name); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_seuser_free(seuser); + return ret; +} + +int set_seuser(const char *login_name, const char *seuser_name) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int seuser_exists = 0; + + if (seuser_name == NULL) { + /* don't care, just let system pick the defaults */ + return EOK; + } + + handle = sss_semanage_init(); + if (!handle) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &seuser_exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (seuser_exists) { + ret = sss_semanage_user_mod(handle, key, login_name, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n"); + ret = EIO; + goto done; + } + } else { + ret = sss_semanage_user_add(handle, key, login_name, seuser_name); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n"); + ret = EIO; + goto done; + } + } + + ret = semanage_commit(handle); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_seuser_key_free(key); + semanage_handle_destroy(handle); + return ret; +} + +int del_seuser(const char *login_name) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int exists = 0; + + handle = sss_semanage_init(); + if (!handle) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (!exists) { + DEBUG(SSSDBG_FUNC_DATA, + "Login mapping for %s is not defined, OK if default mapping " + "was used\n", login_name); + ret = EOK; /* probably default mapping */ + goto done; + } + + ret = semanage_seuser_exists_local(handle, key, &exists); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n"); + ret = EIO; + goto done; + } + + if (!exists) { + DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, " + "cannot be deleted", login_name); + ret = ENOENT; + goto done; + } + + ret = semanage_seuser_del_local(handle, key); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Could not delete login mapping for %s", login_name); + ret = EIO; + goto done; + } + + ret = semanage_commit(handle); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n"); + ret = EIO; + goto done; + } + + ret = EOK; +done: + semanage_handle_destroy(handle); + return ret; +} + +#else /* HAVE_SEMANAGE */ +int set_seuser(const char *login_name, const char *seuser_name) +{ + return EOK; +} + +int del_seuser(const char *login_name) +{ + return EOK; +} +#endif /* HAVE_SEMANAGE */ diff --git a/src/util/util.h b/src/util/util.h index 0ac9b0104..b43ce6f50 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -591,4 +591,8 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, struct sss_creds **saved_creds); errno_t restore_creds(struct sss_creds *saved_creds); +/* from sss_semanage.c */ +int set_seuser(const char *login_name, const char *seuser_name); +int del_seuser(const char *login_name); + #endif /* __SSSD_UTIL_H__ */ |