diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-27 11:12:18 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-01-27 18:13:21 +0100 |
commit | 20dd4c33d226862d124b2f010181550e820df5f8 (patch) | |
tree | bfd8daf724c5af10d20c06e9a726555dae948da4 | |
parent | a77f0b5c39b1f6c497b2b5c6c072d2f4f6e7a745 (diff) | |
download | sssd-20dd4c33d226862d124b2f010181550e820df5f8.tar.gz sssd-20dd4c33d226862d124b2f010181550e820df5f8.tar.xz sssd-20dd4c33d226862d124b2f010181550e820df5f8.zip |
SELINUX: Set and reset umask when caling set_seuser from deamon code
https://fedorahosted.org/sssd/ticket/2563
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
-rw-r--r-- | src/providers/ipa/selinux_child.c | 18 | ||||
-rw-r--r-- | src/util/util.h | 4 |
2 files changed, 21 insertions, 1 deletions
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index bda89c847..d46703896 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -135,6 +135,22 @@ static errno_t prepare_response(TALLOC_CTX *mem_ctx, return EOK; } +static int sc_set_seuser(const char *login_name, const char *seuser_name, + const char *mls) +{ + int ret; + mode_t old_mask; + + /* This is a workaround for + * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure + * the directories are created with the expected permissions + */ + old_mask = umask(0); + ret = set_seuser(login_name, seuser_name, mls); + umask(old_mask); + return ret; +} + int main(int argc, const char *argv[]) { int opt; @@ -256,7 +272,7 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n"); - ret = set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); + ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n"); goto fail; diff --git a/src/util/util.h b/src/util/util.h index 23624c815..bf3a9a057 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -628,6 +628,10 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx, errno_t restore_creds(struct sss_creds *saved_creds); /* from sss_semanage.c */ +/* Please note that libsemange relies on files and directories created with + * certain permissions. Therefore the caller should make sure the umask is + * not too restricted (especially when called from the daemon code). + */ int set_seuser(const char *login_name, const char *seuser_name, const char *mlsrange); int del_seuser(const char *login_name); |