diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-12 16:31:13 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-03-17 15:36:45 +0100 |
| commit | 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99 (patch) | |
| tree | 920abe917018642fcf735e2e215a41180c8366ba | |
| parent | 8be0cf3eea892e13410c13abb030322599ca1b4f (diff) | |
| download | sssd-3e6dac8e14f8a3da6d359ee013453dbd8a38dd99.tar.gz sssd-3e6dac8e14f8a3da6d359ee013453dbd8a38dd99.tar.xz sssd-3e6dac8e14f8a3da6d359ee013453dbd8a38dd99.zip | |
selinux: Handle setup with empty default and no configured rules
SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.
Related to:
https://fedorahosted.org/sssd/ticket/2587
Reviewed-by: Michal Židek <mzidek@redhat.com>
| -rw-r--r-- | src/providers/ipa/ipa_selinux.c | 4 | ||||
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 10 |
2 files changed, 10 insertions, 4 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 0555cdd50..516e31a19 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, { errno_t ret; char *seuser; - char *mls_range; + const char *mls_range; char *ptr; char *username; char *username_final; @@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, } if (*ptr == '\0') { /* No mls_range specified */ - mls_range = NULL; + mls_range = ""; } else { *ptr = '\0'; /* split */ mls_range = ptr + 1; diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 3756557a5..81c1de877 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len); if (len == 0) { - return EINVAL; + ibuf->seuser = ""; + DEBUG(SSSDBG_TRACE_INTERNAL, + "Empty SELinux user, will delete the mapping\n"); } else { if ((p + len ) > size) return EINVAL; ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); @@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len); if (len == 0) { - return EINVAL; + if (strcmp(ibuf->seuser, "") != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n"); + return EINVAL; + } } else { if ((p + len ) > size) return EINVAL; ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); @@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf, SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len); if (len == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); return EINVAL; } else { if ((p + len ) > size) return EINVAL; |