2015-05-08 12:13:58 +00:00
|
|
|
From 4b6ee69fb1f713aae125b0fc2d345846e7a0d642 Mon Sep 17 00:00:00 2001
|
2015-03-23 16:17:30 +00:00
|
|
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
|
Date: Thu, 12 Mar 2015 16:31:13 +0100
|
2015-05-08 12:13:58 +00:00
|
|
|
Subject: [PATCH 34/99] selinux: Handle setup with empty default and no
|
2015-03-23 16:17:30 +00:00
|
|
|
configured rules
|
|
|
|
MIME-Version: 1.0
|
|
|
|
Content-Type: text/plain; charset=UTF-8
|
|
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
|
|
|
|
SSSD also needs to handle the setup where no rules match the machine and
|
|
|
|
the default has no MLS component.
|
|
|
|
|
|
|
|
Related to:
|
|
|
|
https://fedorahosted.org/sssd/ticket/2587
|
|
|
|
|
|
|
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
|
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
|
|
|
|
---
|
|
|
|
src/providers/ipa/ipa_selinux.c | 4 ++--
|
|
|
|
src/providers/ipa/selinux_child.c | 10 ++++++++--
|
|
|
|
2 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
2015-05-08 12:13:58 +00:00
|
|
|
index 19bda3c461c712efebc61265dd8f69ab50be5f2a..631f9ab80afba7dbdb091823b0fb4a0dc1126d49 100644
|
2015-03-23 16:17:30 +00:00
|
|
|
--- a/src/providers/ipa/ipa_selinux.c
|
|
|
|
+++ b/src/providers/ipa/ipa_selinux.c
|
|
|
|
@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
|
|
|
|
{
|
|
|
|
errno_t ret;
|
|
|
|
char *seuser;
|
|
|
|
- char *mls_range;
|
|
|
|
+ const char *mls_range;
|
|
|
|
char *ptr;
|
|
|
|
char *username;
|
|
|
|
char *username_final;
|
|
|
|
@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
|
|
|
|
}
|
|
|
|
if (*ptr == '\0') {
|
|
|
|
/* No mls_range specified */
|
|
|
|
- mls_range = NULL;
|
|
|
|
+ mls_range = "";
|
|
|
|
} else {
|
|
|
|
*ptr = '\0'; /* split */
|
|
|
|
mls_range = ptr + 1;
|
|
|
|
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
|
|
index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644
|
|
|
|
--- a/src/providers/ipa/selinux_child.c
|
|
|
|
+++ b/src/providers/ipa/selinux_child.c
|
|
|
|
@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
|
|
|
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
|
|
|
DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
|
|
|
|
if (len == 0) {
|
|
|
|
- return EINVAL;
|
|
|
|
+ ibuf->seuser = "";
|
|
|
|
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
|
|
|
+ "Empty SELinux user, will delete the mapping\n");
|
|
|
|
} else {
|
|
|
|
if ((p + len ) > size) return EINVAL;
|
|
|
|
ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
|
|
|
|
@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
|
|
|
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
|
|
|
DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
|
|
|
|
if (len == 0) {
|
|
|
|
- return EINVAL;
|
|
|
|
+ if (strcmp(ibuf->seuser, "") != 0) {
|
|
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
|
|
|
|
+ return EINVAL;
|
|
|
|
+ }
|
|
|
|
} else {
|
|
|
|
if ((p + len ) > size) return EINVAL;
|
|
|
|
ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
|
|
|
|
@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
|
|
|
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
|
|
|
DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
|
|
|
|
if (len == 0) {
|
|
|
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
|
|
|
|
return EINVAL;
|
|
|
|
} else {
|
|
|
|
if ((p + len ) > size) return EINVAL;
|
|
|
|
--
|
2015-05-08 12:13:58 +00:00
|
|
|
2.4.0
|
2015-03-23 16:17:30 +00:00
|
|
|
|