diff options
| author | Justin Stephenson <jstephen@redhat.com> | 2017-03-09 17:21:37 -0500 |
|---|---|---|
| committer | Lukas Slebodnik <lslebodn@redhat.com> | 2017-09-06 08:17:53 +0200 |
| commit | cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce (patch) | |
| tree | 6beedc79cdd3d493e874fb92372f58b9d54e64ae | |
| parent | e8bad995fb1219df2a4fef8f55c80284c6ab36d3 (diff) | |
| download | sssd-cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce.tar.gz sssd-cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce.tar.xz sssd-cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce.zip | |
SELINUX: Use getseuserbyname to get IPA seuser
The libselinux function getseuserbyname is more reliable method to retrieve
SELinux usernames then functions from libsemanage `semanage_user_query`
and is recommended by libsemanage developers.
Replace get_seuser function with getseuserbyname.
Resolves:
https://pagure.io/SSSD/sssd/issue/3308
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Petr Lautrbach <plautrba@redhat.com>
| -rw-r--r-- | Makefile.am | 1 | ||||
| -rw-r--r-- | src/providers/ipa/selinux_child.c | 12 | ||||
| -rw-r--r-- | src/util/sss_semanage.c | 73 | ||||
| -rw-r--r-- | src/util/util.h | 2 |
4 files changed, 7 insertions, 81 deletions
diff --git a/Makefile.am b/Makefile.am index cb5c405a4..42d7e4a17 100644 --- a/Makefile.am +++ b/Makefile.am @@ -4107,6 +4107,7 @@ selinux_child_LDADD = \ $(POPT_LIBS) \ $(DHASH_LIBS) \ $(SEMANAGE_LIBS) \ + $(SELINUX_LIBS) \ $(NULL) endif diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index f8dd3954a..073475094 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -27,6 +27,7 @@ #include <unistd.h> #include <sys/stat.h> #include <popt.h> +#include <selinux/selinux.h> #include "util/util.h" #include "util/child_common.h" @@ -172,11 +173,10 @@ static bool seuser_needs_update(struct input_buffer *ibuf) char *db_mls_range = NULL; errno_t ret; - ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range); + ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range); DEBUG(SSSDBG_TRACE_INTERNAL, - "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n", - ret, sss_strerror(ret), - db_seuser ? db_seuser : "unknown", + "getseuserbyname: ret: %d seuser: %s mls: %s\n", + ret, db_seuser ? db_seuser : "unknown", db_mls_range ? db_mls_range : "unknown"); if (ret == EOK && db_seuser && db_mls_range && strcmp(db_seuser, ibuf->seuser) == 0 && @@ -188,8 +188,8 @@ static bool seuser_needs_update(struct input_buffer *ibuf) needs_update = false; } - talloc_free(db_seuser); - talloc_free(db_mls_range); + free(db_seuser); + free(db_mls_range); return needs_update; } diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c index 0da97aad4..37278cc98 100644 --- a/src/util/sss_semanage.c +++ b/src/util/sss_semanage.c @@ -382,73 +382,6 @@ done: sss_semanage_close(handle); return ret; } - -int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, - char **_seuser, char **_mls_range) -{ - errno_t ret; - const char *seuser; - const char *mls_range; - semanage_handle_t *sm_handle = NULL; - semanage_seuser_t *sm_user = NULL; - semanage_seuser_key_t *sm_key = NULL; - - ret = sss_semanage_init(&sm_handle); - if (ret == ERR_SELINUX_NOT_MANAGED) { - goto done; - } else if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n"); - goto done; - } - - ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key); - if (ret != EOK) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name); - ret = EIO; - goto done; - } - - ret = semanage_seuser_query(sm_handle, sm_key, &sm_user); - if (ret < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name); - ret = EIO; - goto done; - } - - seuser = semanage_seuser_get_sename(sm_user); - if (seuser != NULL) { - *_seuser = talloc_strdup(mem_ctx, seuser); - if (*_seuser == NULL) { - ret = ENOMEM; - goto done; - } - DEBUG(SSSDBG_OP_FAILURE, - "SELinux user for %s: %s\n", login_name, *_seuser); - } else { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name); - } - - mls_range = semanage_seuser_get_mlsrange(sm_user); - if (mls_range != NULL) { - *_mls_range = talloc_strdup(mem_ctx, mls_range); - if (*_mls_range == NULL) { - ret = ENOMEM; - goto done; - } - DEBUG(SSSDBG_OP_FAILURE, - "SELinux range for %s: %s\n", login_name, *_mls_range); - } else { - DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name); - } - - ret = EOK; -done: - semanage_seuser_key_free(sm_key); - semanage_seuser_free(sm_user); - sss_semanage_close(sm_handle); - return ret; -} - #else /* HAVE_SEMANAGE */ int set_seuser(const char *login_name, const char *seuser_name, const char *mls) @@ -460,10 +393,4 @@ int del_seuser(const char *login_name) { return EOK; } - -int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, - char **_seuser, char **_mls_range) -{ - return EOK; -} #endif /* HAVE_SEMANAGE */ diff --git a/src/util/util.h b/src/util/util.h index 3d8bfe479..373830117 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -650,8 +650,6 @@ errno_t restore_creds(struct sss_creds *saved_creds); int set_seuser(const char *login_name, const char *seuser_name, const char *mlsrange); int del_seuser(const char *login_name); -int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name, - char **_seuser, char **_mls_range); /* convert time from generalized form to unix time */ errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time); |