IPA: Move setting the SELinux context to a child process

In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.

Reviewed-by: Michal Židek <mzidek@redhat.com>

2 files changed, 2 insertions, 0 deletions

diff --git a/src/util/util_errors.c b/src/util/util_errors.c
index 5b36780ff..d5da64622 100644
--- a/src/util/util_errors.c
+++ b/src/util/util_errors.c
@@ -62,6 +62,7 @@ struct err_string error_to_str[] = {
     { "Bus method not supported" }, /* ERR_SBUS_NOSUP */
     { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
     { "LDAP search returned a referral" }, /* ERR_REFERRAL */
+    { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
 };
 
 
diff --git a/src/util/util_errors.h b/src/util/util_errors.h
index e040ba903..2bc576605 100644
--- a/src/util/util_errors.h
+++ b/src/util/util_errors.h
@@ -84,6 +84,7 @@ enum sssd_errors {
     ERR_SBUS_NOSUP,
     ERR_NO_SYSBUS,
     ERR_REFERRAL,
+    ERR_SELINUX_CONTEXT,
     ERR_LAST            /* ALWAYS LAST */
 };