Fix regressions with ipa and SELinux

- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
                             context on client is staff_u

0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch

@@ -0,0 +1,81 @@
+From e991859590d4b598193f192674fca0ded1914bae Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Fri, 13 Feb 2015 17:57:35 +0100
+Subject: [PATCH 16/17] selinux: Delete existing user mapping on empty default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://fedorahosted.org/sssd/ticket/2587
+
+The case of SELinux default user mapping being an empty string is valid,
+it should translate into "pick the default context on the target
+machine".
+
+In case the context is empty, we need to delete the per-user mapping from
+the SELinux database to make sure the default is used.
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+Reviewed-by: Pavel Reichl <preichl@redhat.com>
+(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
+---
+ src/providers/ipa/ipa_selinux.c   | 14 ++++++++------
+ src/providers/ipa/selinux_child.c | 10 +++++++++-
+ 2 files changed, 17 insertions(+), 7 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index f7e17c97f0bf8d6c64eb045c3bc954da8eb3d568..00c793a2643b51e59884730fa4f0ba3c7ed1bea6 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
+ 
+     /* If no maps match, we'll use the default SELinux user from the
+      * config */
+-    seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
++    seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
+     if (seuser_mls_str == NULL) {
+         ret = ENOMEM;
+         goto done;
+@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
+         return ENOMEM;
+     }
+ 
+-    ret = sysdb_attrs_add_string(state->defaults,
+-                                 IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
+-                                 default_user);
+-    if (ret != EOK) {
+-        return ret;
++    if (default_user) {
++        ret = sysdb_attrs_add_string(state->defaults,
++                                    IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
++                                    default_user);
++        if (ret != EOK) {
++            return ret;
++        }
+     }
+ 
+     ret = sysdb_attrs_add_string(state->defaults,
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644
+--- a/src/providers/ipa/selinux_child.c
++++ b/src/providers/ipa/selinux_child.c
+@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
+      * the directories are created with the expected permissions
+      */
+     old_mask = umask(0);
+-    ret = set_seuser(login_name, seuser_name, mls);
++    if (strcmp(seuser_name, "") == 0) {
++        /* An empty SELinux user should cause SSSD to use the system
++         * default. We need to remove the SELinux user from the DB
++         * in that case
++         */
++        ret = del_seuser(login_name);
++    } else {
++        ret = set_seuser(login_name, seuser_name, mls);
++    }
+     umask(old_mask);
+     return ret;
+ }
+-- 
+2.3.3
+

0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch

@@ -0,0 +1,82 @@
+From 4c047cc4720227ca7ad80f02546493ba6e0199ef Mon Sep 17 00:00:00 2001
+From: Jakub Hrozek <jhrozek@redhat.com>
+Date: Thu, 12 Mar 2015 16:31:13 +0100
+Subject: [PATCH 17/17] selinux: Handle setup with empty default and no
+ configured rules
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+SSSD also needs to handle the setup where no rules match the machine and
+the default has no MLS component.
+
+Related to:
+https://fedorahosted.org/sssd/ticket/2587
+
+Reviewed-by: Michal Židek <mzidek@redhat.com>
+(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
+---
+ src/providers/ipa/ipa_selinux.c   |  4 ++--
+ src/providers/ipa/selinux_child.c | 10 ++++++++--
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
+index 00c793a2643b51e59884730fa4f0ba3c7ed1bea6..cdb0dfa388eb3743e0b937befd63cf05ae94b71e 100644
+--- a/src/providers/ipa/ipa_selinux.c
++++ b/src/providers/ipa/ipa_selinux.c
+@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
+ {
+     errno_t ret;
+     char *seuser;
+-    char *mls_range;
++    const char *mls_range;
+     char *ptr;
+     char *username;
+     char *username_final;
+@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
+     }
+     if (*ptr == '\0') {
+         /* No mls_range specified */
+-        mls_range = NULL;
++        mls_range = "";
+     } else {
+         *ptr = '\0'; /* split */
+         mls_range = ptr + 1;
+diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
+index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644
+--- a/src/providers/ipa/selinux_child.c
++++ b/src/providers/ipa/selinux_child.c
+@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
+     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+     DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
+     if (len == 0) {
+-        return EINVAL;
++        ibuf->seuser = "";
++        DEBUG(SSSDBG_TRACE_INTERNAL,
++              "Empty SELinux user, will delete the mapping\n");
+     } else {
+         if ((p + len ) > size) return EINVAL;
+         ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
+@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
+     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+     DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
+     if (len == 0) {
+-        return EINVAL;
++        if (strcmp(ibuf->seuser, "") != 0) {
++            DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
++            return EINVAL;
++        }
+     } else {
+         if ((p + len ) > size) return EINVAL;
+         ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
+@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
+     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
+     DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
+     if (len == 0) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
+         return EINVAL;
+     } else {
+         if ((p + len ) > size) return EINVAL;
+-- 
+2.3.3
+

sssd.spec

@@ -27,7 +27,7 @@
 
 Name: sssd
 Version: 1.12.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -51,6 +51,8 @@ Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
 Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
 Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
 Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
+Patch0016: 0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
+Patch0017: 0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
 
 ### Dependencies ###
 Requires: sssd-common = %{version}-%{release}
@@ -1019,6 +1021,11 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Mon Mar 23 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-5
+- Fix regressions with ipa and SELinux
+- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
+                             context on client is staff_u
+
 * Fri Mar  6 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.4-4
 - Also relax libldb Requires
 - Remove --enable-ldb-version-check