Fix regressions with ipa and SELinux

- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
                             context on client is staff_u
This commit is contained in:
Lukas Slebodnik 2015-03-23 17:17:30 +01:00
parent 9f97bec3b0
commit 36805df397
3 changed files with 171 additions and 1 deletions

View File

@ -0,0 +1,81 @@
From e991859590d4b598193f192674fca0ded1914bae Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 13 Feb 2015 17:57:35 +0100
Subject: [PATCH 16/17] selinux: Delete existing user mapping on empty default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
https://fedorahosted.org/sssd/ticket/2587
The case of SELinux default user mapping being an empty string is valid,
it should translate into "pick the default context on the target
machine".
In case the context is empty, we need to delete the per-user mapping from
the SELinux database to make sure the default is used.
Reviewed-by: Michal Židek <mzidek@redhat.com>
Reviewed-by: Pavel Reichl <preichl@redhat.com>
(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430)
---
src/providers/ipa/ipa_selinux.c | 14 ++++++++------
src/providers/ipa/selinux_child.c | 10 +++++++++-
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index f7e17c97f0bf8d6c64eb045c3bc954da8eb3d568..00c793a2643b51e59884730fa4f0ba3c7ed1bea6 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx,
/* If no maps match, we'll use the default SELinux user from the
* config */
- seuser_mls_str = talloc_strdup(tmp_ctx, default_user);
+ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : "");
if (seuser_mls_str == NULL) {
ret = ENOMEM;
goto done;
@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req)
return ENOMEM;
}
- ret = sysdb_attrs_add_string(state->defaults,
- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
- default_user);
- if (ret != EOK) {
- return ret;
+ if (default_user) {
+ ret = sysdb_attrs_add_string(state->defaults,
+ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX,
+ default_user);
+ if (ret != EOK) {
+ return ret;
+ }
}
ret = sysdb_attrs_add_string(state->defaults,
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name,
* the directories are created with the expected permissions
*/
old_mask = umask(0);
- ret = set_seuser(login_name, seuser_name, mls);
+ if (strcmp(seuser_name, "") == 0) {
+ /* An empty SELinux user should cause SSSD to use the system
+ * default. We need to remove the SELinux user from the DB
+ * in that case
+ */
+ ret = del_seuser(login_name);
+ } else {
+ ret = set_seuser(login_name, seuser_name, mls);
+ }
umask(old_mask);
return ret;
}
--
2.3.3

View File

@ -0,0 +1,82 @@
From 4c047cc4720227ca7ad80f02546493ba6e0199ef Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 12 Mar 2015 16:31:13 +0100
Subject: [PATCH 17/17] selinux: Handle setup with empty default and no
configured rules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.
Related to:
https://fedorahosted.org/sssd/ticket/2587
Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99)
---
src/providers/ipa/ipa_selinux.c | 4 ++--
src/providers/ipa/selinux_child.c | 10 ++++++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 00c793a2643b51e59884730fa4f0ba3c7ed1bea6..cdb0dfa388eb3743e0b937befd63cf05ae94b71e 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
{
errno_t ret;
char *seuser;
- char *mls_range;
+ const char *mls_range;
char *ptr;
char *username;
char *username_final;
@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
}
if (*ptr == '\0') {
/* No mls_range specified */
- mls_range = NULL;
+ mls_range = "";
} else {
*ptr = '\0'; /* split */
mls_range = ptr + 1;
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
if (len == 0) {
- return EINVAL;
+ ibuf->seuser = "";
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ "Empty SELinux user, will delete the mapping\n");
} else {
if ((p + len ) > size) return EINVAL;
ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
if (len == 0) {
- return EINVAL;
+ if (strcmp(ibuf->seuser, "") != 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
+ return EINVAL;
+ }
} else {
if ((p + len ) > size) return EINVAL;
ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
if (len == 0) {
+ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
return EINVAL;
} else {
if ((p + len ) > size) return EINVAL;
--
2.3.3

View File

@ -27,7 +27,7 @@
Name: sssd Name: sssd
Version: 1.12.4 Version: 1.12.4
Release: 4%{?dist} Release: 5%{?dist}
Group: Applications/System Group: Applications/System
Summary: System Security Services Daemon Summary: System Security Services Daemon
License: GPLv3+ License: GPLv3+
@ -51,6 +51,8 @@ Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch
Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch
Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch
Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch
Patch0016: 0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch
Patch0017: 0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch
### Dependencies ### ### Dependencies ###
Requires: sssd-common = %{version}-%{release} Requires: sssd-common = %{version}-%{release}
@ -1019,6 +1021,11 @@ if [ $1 -eq 0 ]; then
fi fi
%changelog %changelog
* Mon Mar 23 2015 Lukas Slebodnik <lslebodn@redhat.com> - 1.12.4-5
- Fix regressions with ipa and SELinux
- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security
context on client is staff_u
* Fri Mar 6 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.4-4 * Fri Mar 6 2015 Jakub Hrozek <jhrozek@redhat.com> - 1.12.4-4
- Also relax libldb Requires - Also relax libldb Requires
- Remove --enable-ldb-version-check - Remove --enable-ldb-version-check