summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.am37
-rw-r--r--src/tests/dlopen-tests.c1
-rw-r--r--src/tools/selinux.c334
-rw-r--r--src/tools/tools_util.h2
-rw-r--r--src/util/sss_semanage.c360
-rw-r--r--src/util/util.h4
6 files changed, 393 insertions, 345 deletions
diff --git a/Makefile.am b/Makefile.am
index 6a8124b5a..49acdb107 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -476,10 +476,6 @@ if BUILD_SELINUX
PYTHON_BINDINGS_LIBS += $(SELINUX_LIBS)
TOOLS_LIBS += $(SELINUX_LIBS)
endif
-if BUILD_SEMANAGE
- PYTHON_BINDINGS_LIBS += $(SEMANAGE_LIBS)
- TOOLS_LIBS += $(SEMANAGE_LIBS)
-endif
dist_noinst_HEADERS = \
src/monitor/monitor.h \
@@ -728,11 +724,26 @@ libsss_util_la_SOURCES += \
endif
libsss_util_la_LDFLAGS = -avoid-version
+pkglib_LTLIBRARIES += libsss_semanage.la
+libsss_semanage_la_SOURCES = \
+ src/util/sss_semanage.c \
+ $(NULL)
+libsss_semanage_la_LIBADD = \
+ libsss_debug.la \
+ $(NULL)
+if BUILD_SEMANAGE
+libsss_semanage_la_LIBADD += $(SEMANAGE_LIBS)
+endif
+
+libsss_semanage_la_LDFLAGS = \
+ -avoid-version
+
SSSD_INTERNAL_LTLIBS = \
libsss_util.la \
libsss_crypt.la \
libsss_debug.la \
- libsss_child.la
+ libsss_child.la \
+ $(NULL)
if BUILD_IFP
if BUILD_CONFIG_LIB
@@ -1065,7 +1076,9 @@ sss_useradd_SOURCES = \
$(SSSD_TOOLS_OBJ)
sss_useradd_LDADD = \
$(TOOLS_LIBS) \
- $(SSSD_INTERNAL_LTLIBS)
+ $(SSSD_INTERNAL_LTLIBS) \
+ libsss_semanage.la \
+ $(NULL)
sss_userdel_SOURCES = \
src/tools/sss_userdel.c \
@@ -1073,7 +1086,9 @@ sss_userdel_SOURCES = \
sss_userdel_LDADD = \
$(TOOLS_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
- $(CLIENT_LIBS)
+ $(CLIENT_LIBS) \
+ libsss_semanage.la \
+ $(NULL)
sss_userdel_CFLAGS = \
$(AM_CFLAGS)
@@ -1099,7 +1114,9 @@ sss_usermod_SOURCES = \
sss_usermod_LDADD = \
$(TOOLS_LIBS) \
$(SSSD_INTERNAL_LTLIBS) \
- $(CLIENT_LIBS)
+ $(CLIENT_LIBS) \
+ libsss_semanage.la \
+ $(NULL)
sss_usermod_CFLAGS = $(AM_CFLAGS)
sss_groupmod_SOURCES = \
@@ -2372,7 +2389,9 @@ libsss_ipa_la_LIBADD = \
libsss_ldap_common.la \
libsss_krb5_common.la \
libipa_hbac.la \
- libsss_idmap.la
+ libsss_idmap.la \
+ libsss_semanage.la \
+ $(NULL)
libsss_ipa_la_LDFLAGS = \
-avoid-version \
-module
diff --git a/src/tests/dlopen-tests.c b/src/tests/dlopen-tests.c
index 1dd80c49c..7e56d6524 100644
--- a/src/tests/dlopen-tests.c
+++ b/src/tests/dlopen-tests.c
@@ -38,6 +38,7 @@ struct so {
const char *libs[6];
} so[] = {
{ "libsss_debug.so", { LIBPFX"libsss_debug.so", NULL } },
+ { "libsss_semanage.so", { LIBPFX"libsss_semanage.so", NULL } },
{ "libipa_hbac.so", { LIBPFX"libipa_hbac.so", NULL } },
{ "libsss_idmap.so", { LIBPFX"libsss_idmap.so", NULL } },
{ "libsss_nss_idmap.so", { LIBPFX"libsss_nss_idmap.so", NULL } },
diff --git a/src/tools/selinux.c b/src/tools/selinux.c
index 1f87d40f9..5e9c458f9 100644
--- a/src/tools/selinux.c
+++ b/src/tools/selinux.c
@@ -27,16 +27,8 @@
#include <selinux/selinux.h>
#endif
-#ifdef HAVE_SEMANAGE
-#include <semanage/semanage.h>
-#endif
-
#include "tools/tools_util.h"
-#ifndef DEFAULT_SERANGE
-#define DEFAULT_SERANGE "s0"
-#endif
-
#ifdef HAVE_SELINUX
/*
* selinux_file_context - Set the security context before any file or
@@ -89,329 +81,3 @@ int reset_selinux_file_context(void)
return EOK;
}
#endif /* HAVE_SELINUX */
-
-#ifdef HAVE_SEMANAGE
-/* turn libselinux messages into SSSD DEBUG() calls */
-static void sss_semanage_error_callback(void *varg,
- semanage_handle_t *handle,
- const char *fmt, ...)
-{
- int level = SSSDBG_INVALID;
- int ret;
- char * message = NULL;
- va_list ap;
-
- switch (semanage_msg_get_level(handle)) {
- case SEMANAGE_MSG_ERR:
- level = SSSDBG_CRIT_FAILURE;
- break;
- case SEMANAGE_MSG_WARN:
- level = SSSDBG_MINOR_FAILURE;
- break;
- case SEMANAGE_MSG_INFO:
- level = SSSDBG_TRACE_FUNC;
- break;
- }
-
- va_start(ap, fmt);
- ret = vasprintf(&message, fmt, ap);
- va_end(ap);
- if (ret < 0) {
- /* ENOMEM */
- return;
- }
-
- if (DEBUG_IS_SET(level))
- debug_fn(__FILE__, __LINE__, "libsemanage", level, "%s\n", message);
- free(message);
-}
-
-static semanage_handle_t *sss_semanage_init(void)
-{
- int ret;
- semanage_handle_t *handle = NULL;
-
- handle = semanage_handle_create();
- if (!handle) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
- return NULL;
- }
-
- semanage_msg_set_callback(handle,
- sss_semanage_error_callback,
- NULL);
-
- ret = semanage_is_managed(handle);
- if (ret != 1) {
- DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
- goto fail;
- }
-
- ret = semanage_access_check(handle);
- if (ret < SEMANAGE_CAN_READ) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
- goto fail;
- }
-
- ret = semanage_connect(handle);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot estabilish SELinux management connection\n");
- goto fail;
- }
-
- ret = semanage_begin_transaction(handle);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
- goto fail;
- }
-
- return handle;
-fail:
- semanage_handle_destroy(handle);
- return NULL;
-}
-
-static int sss_semanage_user_add(semanage_handle_t *handle,
- semanage_seuser_key_t *key,
- const char *login_name,
- const char *seuser_name)
-{
- int ret;
- semanage_seuser_t *seuser = NULL;
-
- ret = semanage_seuser_create(handle, &seuser);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Cannot create SELinux login mapping for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_set_name(handle, seuser, login_name);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not set serange for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not set SELinux user for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_modify_local(handle, key, seuser);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not add login mapping for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = EOK;
-done:
- semanage_seuser_free(seuser);
- return ret;
-}
-
-static int sss_semanage_user_mod(semanage_handle_t *handle,
- semanage_seuser_key_t *key,
- const char *login_name,
- const char *seuser_name)
-{
- int ret;
- semanage_seuser_t *seuser = NULL;
-
- semanage_seuser_query(handle, key, &seuser);
- if (seuser == NULL) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not query seuser for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not set serange for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_modify_local(handle, key, seuser);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- ("Could not modify login mapping for %s\n"), login_name);
- ret = EIO;
- goto done;
- }
-
- ret = EOK;
-done:
- semanage_seuser_free(seuser);
- return ret;
-}
-
-int set_seuser(const char *login_name, const char *seuser_name)
-{
- semanage_handle_t *handle = NULL;
- semanage_seuser_key_t *key = NULL;
- int ret;
- int seuser_exists = 0;
-
- if (seuser_name == NULL) {
- /* don't care, just let system pick the defaults */
- return EOK;
- }
-
- handle = sss_semanage_init();
- if (!handle) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_key_create(handle, login_name, &key);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_exists(handle, key, &seuser_exists);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
- ret = EIO;
- goto done;
- }
-
- if (seuser_exists) {
- ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
- ret = EIO;
- goto done;
- }
- } else {
- ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
- ret = EIO;
- goto done;
- }
- }
-
- ret = semanage_commit(handle);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
- ret = EIO;
- goto done;
- }
-
- ret = EOK;
-done:
- semanage_seuser_key_free(key);
- semanage_handle_destroy(handle);
- return ret;
-}
-
-int del_seuser(const char *login_name)
-{
- semanage_handle_t *handle = NULL;
- semanage_seuser_key_t *key = NULL;
- int ret;
- int exists = 0;
-
- handle = sss_semanage_init();
- if (!handle) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_key_create(handle, login_name, &key);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
- ret = EIO;
- goto done;
- }
-
- ret = semanage_seuser_exists(handle, key, &exists);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
- ret = EIO;
- goto done;
- }
-
- if (!exists) {
- DEBUG(SSSDBG_FUNC_DATA,
- "Login mapping for %s is not defined, OK if default mapping "
- "was used\n", login_name);
- ret = EOK; /* probably default mapping */
- goto done;
- }
-
- ret = semanage_seuser_exists_local(handle, key, &exists);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
- ret = EIO;
- goto done;
- }
-
- if (!exists) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, "
- "cannot be deleted", login_name);
- ret = ENOENT;
- goto done;
- }
-
- ret = semanage_seuser_del_local(handle, key);
- if (ret != 0) {
- DEBUG(SSSDBG_CRIT_FAILURE,
- "Could not delete login mapping for %s", login_name);
- ret = EIO;
- goto done;
- }
-
- ret = semanage_commit(handle);
- if (ret < 0) {
- DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
- ret = EIO;
- goto done;
- }
-
- ret = EOK;
-done:
- semanage_handle_destroy(handle);
- return ret;
-}
-
-#else /* HAVE_SEMANAGE */
-int set_seuser(const char *login_name, const char *seuser_name)
-{
- return EOK;
-}
-
-int del_seuser(const char *login_name)
-{
- return EOK;
-}
-#endif /* HAVE_SEMANAGE */
diff --git a/src/tools/tools_util.h b/src/tools/tools_util.h
index 87fe752ea..c5990b012 100644
--- a/src/tools/tools_util.h
+++ b/src/tools/tools_util.h
@@ -123,7 +123,5 @@ int copy_tree(const char *src_root, const char *dst_root,
/* from selinux.c */
int selinux_file_context(const char *dst_name);
int reset_selinux_file_context(void);
-int set_seuser(const char *login_name, const char *seuser_name);
-int del_seuser(const char *login_name);
#endif /* __TOOLS_UTIL_H__ */
diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c
new file mode 100644
index 000000000..dbef3b343
--- /dev/null
+++ b/src/util/sss_semanage.c
@@ -0,0 +1,360 @@
+/*
+ SSSD
+
+ sss_semanage.c
+
+ Copyright (C) Jakub Hrozek <jhrozek@redhat.com> 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "config.h"
+
+#include <stdio.h>
+
+#ifdef HAVE_SEMANAGE
+#include <semanage/semanage.h>
+#endif
+
+#include "util/util.h"
+
+#ifndef DEFAULT_SERANGE
+#define DEFAULT_SERANGE "s0"
+#endif
+
+#ifdef HAVE_SEMANAGE
+/* turn libselinux messages into SSSD DEBUG() calls */
+static void sss_semanage_error_callback(void *varg,
+ semanage_handle_t *handle,
+ const char *fmt, ...)
+{
+ int level = SSSDBG_INVALID;
+ int ret;
+ char * message = NULL;
+ va_list ap;
+
+ switch (semanage_msg_get_level(handle)) {
+ case SEMANAGE_MSG_ERR:
+ level = SSSDBG_CRIT_FAILURE;
+ break;
+ case SEMANAGE_MSG_WARN:
+ level = SSSDBG_MINOR_FAILURE;
+ break;
+ case SEMANAGE_MSG_INFO:
+ level = SSSDBG_TRACE_FUNC;
+ break;
+ }
+
+ va_start(ap, fmt);
+ ret = vasprintf(&message, fmt, ap);
+ va_end(ap);
+ if (ret < 0) {
+ /* ENOMEM */
+ return;
+ }
+
+ if (DEBUG_IS_SET(level))
+ debug_fn(__FILE__, __LINE__, "libsemanage", level, "%s\n", message);
+ free(message);
+}
+
+static semanage_handle_t *sss_semanage_init(void)
+{
+ int ret;
+ semanage_handle_t *handle = NULL;
+
+ handle = semanage_handle_create();
+ if (!handle) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
+ return NULL;
+ }
+
+ semanage_msg_set_callback(handle,
+ sss_semanage_error_callback,
+ NULL);
+
+ ret = semanage_is_managed(handle);
+ if (ret != 1) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
+ goto fail;
+ }
+
+ ret = semanage_access_check(handle);
+ if (ret < SEMANAGE_CAN_READ) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
+ goto fail;
+ }
+
+ ret = semanage_connect(handle);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot estabilish SELinux management connection\n");
+ goto fail;
+ }
+
+ ret = semanage_begin_transaction(handle);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot begin SELinux transaction\n");
+ goto fail;
+ }
+
+ return handle;
+fail:
+ semanage_handle_destroy(handle);
+ return NULL;
+}
+
+static int sss_semanage_user_add(semanage_handle_t *handle,
+ semanage_seuser_key_t *key,
+ const char *login_name,
+ const char *seuser_name)
+{
+ int ret;
+ semanage_seuser_t *seuser = NULL;
+
+ ret = semanage_seuser_create(handle, &seuser);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Cannot create SELinux login mapping for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_name(handle, seuser, login_name);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set name for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not set serange for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not set SELinux user for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_modify_local(handle, key, seuser);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not add login mapping for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ semanage_seuser_free(seuser);
+ return ret;
+}
+
+static int sss_semanage_user_mod(semanage_handle_t *handle,
+ semanage_seuser_key_t *key,
+ const char *login_name,
+ const char *seuser_name)
+{
+ int ret;
+ semanage_seuser_t *seuser = NULL;
+
+ semanage_seuser_query(handle, key, &seuser);
+ if (seuser == NULL) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not query seuser for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not set serange for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_set_sename(handle, seuser, seuser_name);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Could not set sename for %s\n", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_modify_local(handle, key, seuser);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ ("Could not modify login mapping for %s\n"), login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ semanage_seuser_free(seuser);
+ return ret;
+}
+
+int set_seuser(const char *login_name, const char *seuser_name)
+{
+ semanage_handle_t *handle = NULL;
+ semanage_seuser_key_t *key = NULL;
+ int ret;
+ int seuser_exists = 0;
+
+ if (seuser_name == NULL) {
+ /* don't care, just let system pick the defaults */
+ return EOK;
+ }
+
+ handle = sss_semanage_init();
+ if (!handle) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_key_create(handle, login_name, &key);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_exists(handle, key, &seuser_exists);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (seuser_exists) {
+ ret = sss_semanage_user_mod(handle, key, login_name, seuser_name);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot modify SELinux user mapping\n");
+ ret = EIO;
+ goto done;
+ }
+ } else {
+ ret = sss_semanage_user_add(handle, key, login_name, seuser_name);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot add SELinux user mapping\n");
+ ret = EIO;
+ goto done;
+ }
+ }
+
+ ret = semanage_commit(handle);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ semanage_seuser_key_free(key);
+ semanage_handle_destroy(handle);
+ return ret;
+}
+
+int del_seuser(const char *login_name)
+{
+ semanage_handle_t *handle = NULL;
+ semanage_seuser_key_t *key = NULL;
+ int ret;
+ int exists = 0;
+
+ handle = sss_semanage_init();
+ if (!handle) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_key_create(handle, login_name, &key);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux user key\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_seuser_exists(handle, key, &exists);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (!exists) {
+ DEBUG(SSSDBG_FUNC_DATA,
+ "Login mapping for %s is not defined, OK if default mapping "
+ "was used\n", login_name);
+ ret = EOK; /* probably default mapping */
+ goto done;
+ }
+
+ ret = semanage_seuser_exists_local(handle, key, &exists);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot verify the SELinux user\n");
+ ret = EIO;
+ goto done;
+ }
+
+ if (!exists) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Login mapping for %s is defined in policy, "
+ "cannot be deleted", login_name);
+ ret = ENOENT;
+ goto done;
+ }
+
+ ret = semanage_seuser_del_local(handle, key);
+ if (ret != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE,
+ "Could not delete login mapping for %s", login_name);
+ ret = EIO;
+ goto done;
+ }
+
+ ret = semanage_commit(handle);
+ if (ret < 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "Cannot commit SELinux transaction\n");
+ ret = EIO;
+ goto done;
+ }
+
+ ret = EOK;
+done:
+ semanage_handle_destroy(handle);
+ return ret;
+}
+
+#else /* HAVE_SEMANAGE */
+int set_seuser(const char *login_name, const char *seuser_name)
+{
+ return EOK;
+}
+
+int del_seuser(const char *login_name)
+{
+ return EOK;
+}
+#endif /* HAVE_SEMANAGE */
diff --git a/src/util/util.h b/src/util/util.h
index 0ac9b0104..b43ce6f50 100644
--- a/src/util/util.h
+++ b/src/util/util.h
@@ -591,4 +591,8 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
struct sss_creds **saved_creds);
errno_t restore_creds(struct sss_creds *saved_creds);
+/* from sss_semanage.c */
+int set_seuser(const char *login_name, const char *seuser_name);
+int del_seuser(const char *login_name);
+
#endif /* __SSSD_UTIL_H__ */
generated by cgit (git 2.34.1) at 2024-11-12 12:07:46 +0000