SELINUX: Set and reset umask when caling set_seuser from deamon code

https://fedorahosted.org/sssd/ticket/2563

Reviewed-by: Michal Židek <mzidek@redhat.com>

2 files changed, 21 insertions, 1 deletions

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 6390d43cb..7297f5ed3 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -135,6 +135,22 @@ static errno_t prepare_response(TALLOC_CTX *mem_ctx,
     return EOK;
 }
 
+static int sc_set_seuser(const char *login_name, const char *seuser_name,
+                         const char *mls)
+{
+    int ret;
+    mode_t old_mask;
+
+    /* This is a workaround for
+     * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure
+     * the directories are created with the expected permissions
+     */
+    old_mask = umask(0);
+    ret = set_seuser(login_name, seuser_name, mls);
+    umask(old_mask);
+    return ret;
+}
+
 int main(int argc, const char *argv[])
 {
     int opt;
@@ -256,7 +272,7 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n");
 
-    ret = set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
+    ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n");
         goto fail;
diff --git a/src/util/util.h b/src/util/util.h
index 4ee9bad11..22d6ef0a4 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -640,6 +640,10 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
 errno_t restore_creds(struct sss_creds *saved_creds);
 
 /* from sss_semanage.c */
+/* Please note that libsemange relies on files and directories created with
+ * certain permissions. Therefore the caller should make sure the umask is
+ * not too restricted (especially when called from the daemon code).
+ */
 int set_seuser(const char *login_name, const char *seuser_name,
                const char *mlsrange);
 int del_seuser(const char *login_name);