SELinux: Always use the default if it exists on the server

https://fedorahosted.org/sssd/ticket/1513

This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045

During an e-mail discussion, it was decided that

    * if the default is set in the IPA config object, the SSSD would use
      that default no matter what
    * if the default is not set (aka empty or missing), the SSSD
      would just use the system default and skip creating the login
      file altogether

3 files changed, 39 insertions, 33 deletions

diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c
index bc067225b..857b17d95 100644
--- a/src/db/sysdb_selinux.c
+++ b/src/db/sysdb_selinux.c
@@ -191,6 +191,11 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
         return ENOMEM;
     }
 
+    if (!order) {
+        DEBUG(SSSDBG_CRIT_FAILURE, ("The SELinux order is missing\n"));
+        return EINVAL;
+    }
+
     if (default_user) {
         ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_USER,
                                     default_user);
@@ -205,7 +210,7 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
         goto done;
     }
 
-    ret =  sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
+    ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
 done:
     talloc_free(attrs);
     return ret;
@@ -344,7 +349,9 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
 
     ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_SUBTREE, filter,
                              attrs, &msgs_count, &msgs);
-    if (ret) {
+    if (ret == ENOENT) {
+        msgs_count = 0;
+    } else if (ret) {
         goto done;
     }
 
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 36a2bfb4a..0adc0fd02 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -136,11 +136,9 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
         goto fail;
     }
 
-    if (default_user != NULL && map_order != NULL) {
-        ret = sysdb_store_selinux_config(sysdb, default_user, map_order);
-        if (ret != EOK) {
-            goto fail;
-        }
+    ret = sysdb_store_selinux_config(sysdb, default_user, map_order);
+    if (ret != EOK) {
+        goto fail;
     }
 
     if (map_count > 0 && maps != NULL) {
@@ -668,13 +666,15 @@ ipa_get_selinux_recv(struct tevent_req *req,
     if (state->defaults != NULL) {
         ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_DEFAULT_MAP,
                                      &tmp_str);
-        if (ret != EOK) {
+        if (ret != EOK && ret != ENOENT) {
             return ret;
         }
 
-        *default_user = talloc_strdup(mem_ctx, tmp_str);
-        if (*default_user == NULL) {
-            return ENOMEM;
+        if (ret == EOK) {
+            *default_user = talloc_strdup(mem_ctx, tmp_str);
+            if (*default_user == NULL) {
+                return ENOMEM;
+            }
         }
 
         ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_MAP_ORDER,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 4c0356832..07fa96ab8 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -519,30 +519,33 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
         goto done;
     }
 
-    /* We need two values from the config object:
-     * - default SELinux user in case no other is available
-     * - the order for fetched usermaps
-     */
-    for (i = 0; i < config->num_elements; i++) {
-        if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_USER) == 0) {
-            default_user = (const char *)config->elements[i].values[0].data;
-        } else if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_ORDER) == 0) {
-            tmp_str = (char *)config->elements[i].values[0].data;
-            len = config->elements[i].values[0].length;
-            order = talloc_strdup(tmp_ctx, tmp_str);
-            if (order == NULL) {
-                goto done;
-            }
-        }
+    default_user = ldb_msg_find_attr_as_string(config,
+                                               SYSDB_SELINUX_DEFAULT_USER,
+                                               NULL);
+    if (!default_user || default_user[0] == '\0') {
+        /* Skip creating the maps altogether if there is no default
+         * or empty default
+         */
+        ret = EOK;
+        goto done;
     }
 
-    if (default_user == NULL || order == NULL) {
-        DEBUG(SSSDBG_OP_FAILURE, ("No default SELinux user "
-                                  "or map order given!\n"));
+    tmp_str = ldb_msg_find_attr_as_string(config,
+                                          SYSDB_SELINUX_DEFAULT_ORDER,
+                                          NULL);
+    if (tmp_str == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE, ("No map order given!\n"));
         ret = EINVAL;
         goto done;
     }
 
+    order = talloc_strdup(tmp_ctx, tmp_str);
+    if (order == NULL) {
+        ret = ENOMEM;
+        goto done;
+    }
+    len = strlen(order);
+
     /* The "order" string contains one or more SELinux user records
      * separated by $. Now we need to create an array of string from
      * this one string. First find out how many elements in the array
@@ -577,10 +580,6 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
                                                    &usermaps);
     if (ret != EOK && ret != ENOENT) {
         goto done;
-    } else if (ret == ENOENT) {
-        DEBUG(SSSDBG_TRACE_FUNC, ("No maps defined on the server\n"));
-        ret = EOK;
-        goto done;
     }
 
     /* If no maps match, we'll use the default SELinux user from the