diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2014-10-20 23:16:40 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-11-05 19:55:09 +0100 |
| commit | f3a25949de81f80c136bb073e4a8f504b080c20c (patch) | |
| tree | 69523a939b65b371d7a95e16d1f69e237c77f048 /Makefile.am | |
| parent | 77b13371c87702aee3f858f6b2b73826cf5a01bd (diff) | |
| download | sssd-f3a25949de81f80c136bb073e4a8f504b080c20c.tar.gz sssd-f3a25949de81f80c136bb073e4a8f504b080c20c.tar.xz sssd-f3a25949de81f80c136bb073e4a8f504b080c20c.zip | |
IPA: Move setting the SELinux context to a child process
In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'Makefile.am')
| -rw-r--r-- | Makefile.am | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am index ea296c40f..b85341f58 100644 --- a/Makefile.am +++ b/Makefile.am @@ -146,6 +146,9 @@ endif if BUILD_SAMBA sssdlibexec_PROGRAMS += gpo_child endif +if BUILD_SEMANAGE +sssdlibexec_PROGRAMS += selinux_child +endif if BUILD_PAC_RESPONDER @@ -2531,6 +2534,26 @@ ldap_child_LDADD = \ $(DHASH_LIBS) \ $(KRB5_LIBS) +if BUILD_SEMANAGE +selinux_child_SOURCES = \ + src/providers/ipa/selinux_child.c \ + src/util/sss_semanage.c \ + src/util/atomic_io.c \ + src/util/util.c \ + $(NULL) +selinux_child_CFLAGS = \ + $(AM_CFLAGS) \ + $(POPT_CFLAGS) \ + $(NULL) +selinux_child_LDADD = \ + libsss_debug.la \ + $(TALLOC_LIBS) \ + $(POPT_LIBS) \ + $(DHASH_LIBS) \ + $(SEMANAGE_LIBS) \ + $(NULL) +endif + gpo_child_SOURCES = \ src/providers/ad/ad_gpo_child.c \ src/util/atomic_io.c \ @@ -2849,6 +2872,10 @@ endif if SSSD_USER chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child chmod 4750 $(sssdlibexecdir)/ldap_child +if BUILD_SEMANAGE + chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child + chmod 4750 $(sssdlibexecdir)/selinux_child +endif endif install-data-hook: |