summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--src/providers/ipa/ipa_selinux.c14
-rw-r--r--src/providers/ipa/selinux_child.c10
2 files changed, 17 insertions, 7 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 4286eb163..50ff84056 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
/* If no maps match, we'll use the default SELinux user from the
* config */
- seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
+ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
if (seuser_mls_str == NULL) {
ret = ENOMEM;
goto done;
@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
return ENOMEM;
}
- ret = sysdb_attrs_add_string(state->defaults,
- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
- default_user);
- if (ret != EOK) {
- return ret;
+ if (default_user) {
+ ret = sysdb_attrs_add_string(state->defaults,
+ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
+ default_user);
+ if (ret != EOK) {
+ return ret;
+ }
}
ret = sysdb_attrs_add_string(state->defaults,
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 63d4b9297..3756557a5 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
* the directories are created with the expected permissions
*/
old_mask = umask(0);
- ret = set_seuser(login_name, seuser_name, mls);
+ if (strcmp(seuser_name, "") == 0) {
+ /* An empty SELinux user should cause SSSD to use the system
+ * default. We need to remove the SELinux user from the DB
+ * in that case
+ */
+ ret = del_seuser(login_name);
+ } else {
+ ret = set_seuser(login_name, seuser_name, mls);
+ }
umask(old_mask);
return ret;
}