diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-12 16:31:13 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-17 15:43:40 +0100 |
| commit | 41cce42c02f2ef0bdc3faa7003378a424be5e165 (patch) | |
| tree | c766aa688f244e065c221b1b4bc7cfa50dcbc50d | |
| parent | 4874e928ac5a572bccb5a1115fd983535d342c57 (diff) | |
| download | sssd-41cce42c02f2ef0bdc3faa7003378a424be5e165.tar.gz sssd-41cce42c02f2ef0bdc3faa7003378a424be5e165.tar.xz sssd-41cce42c02f2ef0bdc3faa7003378a424be5e165.zip | |
selinux: Handle setup with empty default and no configured rules
SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.
Related to:
https://fedorahosted.org/sssd/ticket/2587
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
| -rw-r--r-- | src/providers/ipa/ipa_selinux.c | 4 | ||||
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 10 |
2 files changed, 10 insertions, 4 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 19bda3c46..631f9ab80 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, { errno_t ret; char *seuser; - char *mls_range; + const char *mls_range; char *ptr; char *username; char *username_final; @@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, } if (*ptr == '\0') { /* No mls_range specified */ - mls_range = NULL; + mls_range = ""; } else { *ptr = '\0'; /* split */ mls_range = ptr + 1; diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 3756557a5..81c1de877 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len); if (len == 0) { - return EINVAL; + ibuf->seuser = ""; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Empty SELinux user, will delete the mapping\n"); } else { if ((p + len ) > size) return EINVAL; ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); @@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len); if (len == 0) { - return EINVAL; + if (strcmp(ibuf->seuser, "") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n"); + return EINVAL; + } } else { if ((p + len ) > size) return EINVAL; ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); @@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len); if (len == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); return EINVAL; } else { if ((p + len ) > size) return EINVAL; |