From f3a25949de81f80c136bb073e4a8f504b080c20c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 20 Oct 2014 23:16:40 +0200
Subject: IPA: Move setting the SELinux context to a child process
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order for the sssd_be process to run as unprivileged user, we need to
move the semanage processing to a process that runs as the root user
using setuid privileges.

Reviewed-by: Michal Židek <mzidek@redhat.com>
---
 contrib/sssd.spec.in | 1 +
 1 file changed, 1 insertion(+)

(limited to 'contrib')

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index d2e6cec26..5bfb16707 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -665,6 +665,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
 %{_libdir}/%{name}/libsss_ipa.so
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang
-- 
cgit