diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-02-13 17:57:35 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-04 20:03:50 +0100 |
| commit | e946ea98f8ef14d8077f85de1127763d643296a3 (patch) | |
| tree | 739495874ffad9233863b5b7f63b6d0629b79be6 | |
| parent | 9037b1f7258a5d3095c1af5d45abbfa21c49b3a0 (diff) | |
| download | sssd-e946ea98f8ef14d8077f85de1127763d643296a3.tar.gz sssd-e946ea98f8ef14d8077f85de1127763d643296a3.tar.xz sssd-e946ea98f8ef14d8077f85de1127763d643296a3.zip | |
selinux: Delete existing user mapping on empty default
https://fedorahosted.org/sssd/ticket/2587
The case of SELinux default user mapping being an empty string is valid,
it should translate into "pick the default context on the target
machine".
In case the context is empty, we need to delete the per-user mapping from
the SELinux database to make sure the default is used.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
(cherry picked from commit 90efb3c2a48146d7b6cc81fe8422e9024144402a)
| -rw-r--r-- | src/providers/ipa/ipa_selinux.c | 14 | ||||
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 10 |
2 files changed, 17 insertions, 7 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index f7e17c97f..00c793a26 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx, /* If no maps match, we'll use the default SELinux user from the * config */ - seuser_mls_str = talloc_strdup(tmp_ctx, default_user); + seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : ""); if (seuser_mls_str == NULL) { ret = ENOMEM; goto done; @@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) return ENOMEM; } - ret = sysdb_attrs_add_string(state->defaults, - IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, - default_user); - if (ret != EOK) { - return ret; + if (default_user) { + ret = sysdb_attrs_add_string(state->defaults, + IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, + default_user); + if (ret != EOK) { + return ret; + } } ret = sysdb_attrs_add_string(state->defaults, diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 63d4b9297..3756557a5 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name, * the directories are created with the expected permissions */ old_mask = umask(0); - ret = set_seuser(login_name, seuser_name, mls); + if (strcmp(seuser_name, "") == 0) { + /* An empty SELinux user should cause SSSD to use the system + * default. We need to remove the SELinux user from the DB + * in that case + */ + ret = del_seuser(login_name); + } else { + ret = set_seuser(login_name, seuser_name, mls); + } umask(old_mask); return ret; } |