Fix regressions with ipa and SELinux
- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u
This commit is contained in:
parent
9f97bec3b0
commit
36805df397
@ -0,0 +1,81 @@
|
|||||||
|
From e991859590d4b598193f192674fca0ded1914bae Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Fri, 13 Feb 2015 17:57:35 +0100
|
||||||
|
Subject: [PATCH 16/17] selinux: Delete existing user mapping on empty default
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
https://fedorahosted.org/sssd/ticket/2587
|
||||||
|
|
||||||
|
The case of SELinux default user mapping being an empty string is valid,
|
||||||
|
it should translate into "pick the default context on the target
|
||||||
|
machine".
|
||||||
|
|
||||||
|
In case the context is empty, we need to delete the per-user mapping from
|
||||||
|
the SELinux database to make sure the default is used.
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
Reviewed-by: Pavel Reichl <preichl@redhat.com>
|
||||||
|
(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
|
||||||
|
---
|
||||||
|
src/providers/ipa/ipa_selinux.c | 14 ++++++++------
|
||||||
|
src/providers/ipa/selinux_child.c | 10 +++++++++-
|
||||||
|
2 files changed, 17 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||||
|
index f7e17c97f0bf8d6c64eb045c3bc954da8eb3d568..00c793a2643b51e59884730fa4f0ba3c7ed1bea6 100644
|
||||||
|
--- a/src/providers/ipa/ipa_selinux.c
|
||||||
|
+++ b/src/providers/ipa/ipa_selinux.c
|
||||||
|
@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
|
||||||
|
|
||||||
|
/* If no maps match, we'll use the default SELinux user from the
|
||||||
|
* config */
|
||||||
|
- seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
|
||||||
|
+ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
|
||||||
|
if (seuser_mls_str == NULL) {
|
||||||
|
ret = ENOMEM;
|
||||||
|
goto done;
|
||||||
|
@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
|
||||||
|
return ENOMEM;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ret = sysdb_attrs_add_string(state->defaults,
|
||||||
|
- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
|
||||||
|
- default_user);
|
||||||
|
- if (ret != EOK) {
|
||||||
|
- return ret;
|
||||||
|
+ if (default_user) {
|
||||||
|
+ ret = sysdb_attrs_add_string(state->defaults,
|
||||||
|
+ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
|
||||||
|
+ default_user);
|
||||||
|
+ if (ret != EOK) {
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = sysdb_attrs_add_string(state->defaults,
|
||||||
|
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||||
|
index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644
|
||||||
|
--- a/src/providers/ipa/selinux_child.c
|
||||||
|
+++ b/src/providers/ipa/selinux_child.c
|
||||||
|
@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
|
||||||
|
* the directories are created with the expected permissions
|
||||||
|
*/
|
||||||
|
old_mask = umask(0);
|
||||||
|
- ret = set_seuser(login_name, seuser_name, mls);
|
||||||
|
+ if (strcmp(seuser_name, "") == 0) {
|
||||||
|
+ /* An empty SELinux user should cause SSSD to use the system
|
||||||
|
+ * default. We need to remove the SELinux user from the DB
|
||||||
|
+ * in that case
|
||||||
|
+ */
|
||||||
|
+ ret = del_seuser(login_name);
|
||||||
|
+ } else {
|
||||||
|
+ ret = set_seuser(login_name, seuser_name, mls);
|
||||||
|
+ }
|
||||||
|
umask(old_mask);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.3.3
|
||||||
|
|
@ -0,0 +1,82 @@
|
|||||||
|
From 4c047cc4720227ca7ad80f02546493ba6e0199ef Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
Date: Thu, 12 Mar 2015 16:31:13 +0100
|
||||||
|
Subject: [PATCH 17/17] selinux: Handle setup with empty default and no
|
||||||
|
configured rules
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
SSSD also needs to handle the setup where no rules match the machine and
|
||||||
|
the default has no MLS component.
|
||||||
|
|
||||||
|
Related to:
|
||||||
|
https://fedorahosted.org/sssd/ticket/2587
|
||||||
|
|
||||||
|
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
||||||
|
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
|
||||||
|
---
|
||||||
|
src/providers/ipa/ipa_selinux.c | 4 ++--
|
||||||
|
src/providers/ipa/selinux_child.c | 10 ++++++++--
|
||||||
|
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
||||||
|
index 00c793a2643b51e59884730fa4f0ba3c7ed1bea6..cdb0dfa388eb3743e0b937befd63cf05ae94b71e 100644
|
||||||
|
--- a/src/providers/ipa/ipa_selinux.c
|
||||||
|
+++ b/src/providers/ipa/ipa_selinux.c
|
||||||
|
@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
|
||||||
|
{
|
||||||
|
errno_t ret;
|
||||||
|
char *seuser;
|
||||||
|
- char *mls_range;
|
||||||
|
+ const char *mls_range;
|
||||||
|
char *ptr;
|
||||||
|
char *username;
|
||||||
|
char *username_final;
|
||||||
|
@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
|
||||||
|
}
|
||||||
|
if (*ptr == '\0') {
|
||||||
|
/* No mls_range specified */
|
||||||
|
- mls_range = NULL;
|
||||||
|
+ mls_range = "";
|
||||||
|
} else {
|
||||||
|
*ptr = '\0'; /* split */
|
||||||
|
mls_range = ptr + 1;
|
||||||
|
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
||||||
|
index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644
|
||||||
|
--- a/src/providers/ipa/selinux_child.c
|
||||||
|
+++ b/src/providers/ipa/selinux_child.c
|
||||||
|
@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
|
||||||
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
||||||
|
DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
|
||||||
|
if (len == 0) {
|
||||||
|
- return EINVAL;
|
||||||
|
+ ibuf->seuser = "";
|
||||||
|
+ DEBUG(SSSDBG_TRACE_INTERNAL,
|
||||||
|
+ "Empty SELinux user, will delete the mapping\n");
|
||||||
|
} else {
|
||||||
|
if ((p + len ) > size) return EINVAL;
|
||||||
|
ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
|
||||||
|
@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
|
||||||
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
||||||
|
DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
|
||||||
|
if (len == 0) {
|
||||||
|
- return EINVAL;
|
||||||
|
+ if (strcmp(ibuf->seuser, "") != 0) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
|
||||||
|
+ return EINVAL;
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
if ((p + len ) > size) return EINVAL;
|
||||||
|
ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
|
||||||
|
@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
|
||||||
|
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
|
||||||
|
DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
|
||||||
|
if (len == 0) {
|
||||||
|
+ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
|
||||||
|
return EINVAL;
|
||||||
|
} else {
|
||||||
|
if ((p + len ) > size) return EINVAL;
|
||||||
|
--
|
||||||
|
2.3.3
|
||||||
|
|
@ -27,7 +27,7 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.12.4
|
Version: 1.12.4
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -51,6 +51,8 @@ Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
|
|||||||
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
|
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
|
||||||
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
|
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
|
||||||
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
|
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
|
||||||
|
Patch0016: 0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
|
||||||
|
Patch0017: 0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
|
||||||
|
|
||||||
### Dependencies ###
|
### Dependencies ###
|
||||||
Requires: sssd-common = %{version}-%{release}
|
Requires: sssd-common = %{version}-%{release}
|
||||||
@ -1019,6 +1021,11 @@ if [ $1 -eq 0 ]; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Mar 23 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-5
|
||||||
|
- Fix regressions with ipa and SELinux
|
||||||
|
- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
|
||||||
|
context on client is staff_u
|
||||||
|
|
||||||
* Fri Mar 6 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.4-4
|
* Fri Mar 6 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.4-4
|
||||||
- Also relax libldb Requires
|
- Also relax libldb Requires
|
||||||
- Remove --enable-ldb-version-check
|
- Remove --enable-ldb-version-check
|
||||||
|
Loading…
Reference in New Issue
Block a user