diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-09 22:18:35 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-14 19:58:30 +0200 |
| commit | 1e0fa55fb377db788e065de917ba8e149eb56161 (patch) | |
| tree | 23135820ad4753a5588655d37d1a0fefbc3e6066 /src/util | |
| parent | 748b38a7991d78cbf4726f2a14ace5e926629a54 (diff) | |
| download | sssd-1e0fa55fb377db788e065de917ba8e149eb56161.tar.gz sssd-1e0fa55fb377db788e065de917ba8e149eb56161.tar.xz sssd-1e0fa55fb377db788e065de917ba8e149eb56161.zip | |
selinux: Only call semanage if the context actually changes
https://fedorahosted.org/sssd/ticket/2624
Add a function to query the libsemanage database for a user context and
only update the database if the context differes from the one set on the
server.
Adds talloc dependency to libsss_semanage.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/sss_semanage.c | 71 | ||||
| -rw-r--r-- | src/util/util.h | 2 |
2 files changed, 73 insertions, 0 deletions
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c index c0342498c..01a2f41d8 100644 --- a/src/util/sss_semanage.c +++ b/src/util/sss_semanage.c @@ -369,6 +369,71 @@ done: return ret; } +int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, + char **_seuser, char **_mls_range) +{ + errno_t ret; + const char *seuser; + const char *mls_range; + semanage_handle_t *sm_handle = NULL; + semanage_seuser_t *sm_user = NULL; + semanage_seuser_key_t *sm_key = NULL; + + sm_handle = sss_semanage_init(); + if (sm_handle == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); + ret = EIO; + goto done; + } + + ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name); + ret = EIO; + goto done; + } + + ret = semanage_seuser_query(sm_handle, sm_key, &sm_user); + if (ret < 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name); + ret = EIO; + goto done; + } + + seuser = semanage_seuser_get_sename(sm_user); + if (seuser != NULL) { + *_seuser = talloc_strdup(mem_ctx, seuser); + if (*_seuser == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_OP_FAILURE, + "SELinux user for %s: %s\n", login_name, *_seuser); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name); + } + + mls_range = semanage_seuser_get_mlsrange(sm_user); + if (mls_range != NULL) { + *_mls_range = talloc_strdup(mem_ctx, mls_range); + if (*_mls_range == NULL) { + ret = ENOMEM; + goto done; + } + DEBUG(SSSDBG_OP_FAILURE, + "SELinux range for %s: %s\n", login_name, *_mls_range); + } else { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name); + } + + ret = EOK; +done: + semanage_seuser_key_free(sm_key); + semanage_seuser_free(sm_user); + sss_semanage_close(sm_handle); + return ret; +} + #else /* HAVE_SEMANAGE */ int set_seuser(const char *login_name, const char *seuser_name, const char *mls) @@ -380,4 +445,10 @@ int del_seuser(const char *login_name) { return EOK; } + +int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, + char **_seuser, char **_mls_range) +{ + return EOK; +} #endif /* HAVE_SEMANAGE */ diff --git a/src/util/util.h b/src/util/util.h index d831d533f..c86bcea5b 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -655,6 +655,8 @@ errno_t restore_creds(struct sss_creds *saved_creds); int set_seuser(const char *login_name, const char *seuser_name, const char *mlsrange); int del_seuser(const char *login_name); +int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, + char **_seuser, char **_mls_range); /* convert time from generalized form to unix time */ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time); |