summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa/selinux_child.c
Commit message (Collapse)AuthorAgeFilesLines
* Rename dp_backend.h to backend.hPavel Březina2016-06-201-1/+1
| | | | | | Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* sssd: incorrect checks on length values during packet decodingMichal Židek2015-08-311-3/+3
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>
* selinux: Only call semanage if the context actually changesJakub Hrozek2015-04-141-4/+31
| | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Handle setup with empty default and no configured rulesJakub Hrozek2015-03-171-2/+8
| | | | | | | | | | SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com>
* selinux: Delete existing user mapping on empty defaultJakub Hrozek2015-03-041-1/+9
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SELINUX: Check the return value of setuid and setgidJakub Hrozek2015-02-131-2/+12
| | | | | | Silences a Coverity warning Reviewed-by: Pavel Reichl <preichl@redhat.com>
* SELINUX: Set and reset umask when caling set_seuser from deamon codeJakub Hrozek2015-01-271-1/+17
| | | | | | https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com>
* SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to rootJakub Hrozek2015-01-271-1/+17
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2564 libselinux uses many access(2) calls and access() uses the real UID, not the effective UID for the check. Therefore, the setuid selinux_child, which only has effective UID of root would fail the check. Reviewed-by: Michal Židek <mzidek@redhat.com>
* sss_atomic_write_s() return value is signedJakub Hrozek2014-12-031-1/+1
| | | | Reviewed-by: Sumit Bose <sbose@redhat.com>
* selinux_child: Do not ignore return values.Michal Zidek2014-11-061-0/+8
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-051-0/+272
In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
generated by cgit (git 2.34.1) at 2024-06-03 11:48:38 +0000