From 1e0fa55fb377db788e065de917ba8e149eb56161 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 9 Apr 2015 22:18:35 +0200 Subject: selinux: Only call semanage if the context actually changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek --- src/providers/ipa/selinux_child.c | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'src/providers/ipa') diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 81c1de877..7c5731d66 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -165,6 +165,29 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name, return ret; } +static bool seuser_needs_update(struct input_buffer *ibuf) +{ + bool needs_update = true; + char *db_seuser = NULL; + char *db_mls_range = NULL; + errno_t ret; + + ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range); + DEBUG(SSSDBG_TRACE_INTERNAL, + "get_seuser: ret: %d seuser: %s mls: %s\n", + ret, db_seuser ? db_seuser : "unknown", + db_mls_range ? db_mls_range : "unknown"); + if (ret == EOK && db_seuser && db_mls_range && + strcmp(db_seuser, ibuf->seuser) == 0 && + strcmp(db_mls_range, ibuf->mls_range) == 0) { + needs_update = false; + } + + talloc_free(db_seuser); + talloc_free(db_mls_range); + return needs_update; +} + int main(int argc, const char *argv[]) { int opt; @@ -177,6 +200,7 @@ int main(int argc, const char *argv[]) struct input_buffer *ibuf = NULL; struct response *resp = NULL; ssize_t written; + bool needs_update; struct poptOption long_options[] = { POPT_AUTOHELP @@ -296,10 +320,13 @@ int main(int argc, const char *argv[]) DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n"); - ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n"); - goto fail; + needs_update = seuser_needs_update(ibuf); + if (needs_update == true) { + ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n"); + goto fail; + } } ret = prepare_response(main_ctx, ret, &resp); -- cgit