From 36805df39726ce2af08a99d7a9a8b596b748b0c6 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mar 23 2015 16:17:30 +0000 Subject: Fix regressions with ipa and SELinux - Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security context on client is staff_u --- diff --git a/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch b/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch new file mode 100644 index 0000000..b1eb32e --- /dev/null +++ b/0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch @@ -0,0 +1,81 @@ +From e991859590d4b598193f192674fca0ded1914bae Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Fri, 13 Feb 2015 17:57:35 +0100 +Subject: [PATCH 16/17] selinux: Delete existing user mapping on empty default +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://fedorahosted.org/sssd/ticket/2587 + +The case of SELinux default user mapping being an empty string is valid, +it should translate into "pick the default context on the target +machine". + +In case the context is empty, we need to delete the per-user mapping from +the SELinux database to make sure the default is used. + +Reviewed-by: Michal Židek +Reviewed-by: Pavel Reichl +(cherry picked from commit 01f78f755fde63997ccfded71fb8395569b11430) +--- + src/providers/ipa/ipa_selinux.c | 14 ++++++++------ + src/providers/ipa/selinux_child.c | 10 +++++++++- + 2 files changed, 17 insertions(+), 7 deletions(-) + +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index f7e17c97f0bf8d6c64eb045c3bc954da8eb3d568..00c793a2643b51e59884730fa4f0ba3c7ed1bea6 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx, + + /* If no maps match, we'll use the default SELinux user from the + * config */ +- seuser_mls_str = talloc_strdup(tmp_ctx, default_user); ++ seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : ""); + if (seuser_mls_str == NULL) { + ret = ENOMEM; + goto done; +@@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) + return ENOMEM; + } + +- ret = sysdb_attrs_add_string(state->defaults, +- IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, +- default_user); +- if (ret != EOK) { +- return ret; ++ if (default_user) { ++ ret = sysdb_attrs_add_string(state->defaults, ++ IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, ++ default_user); ++ if (ret != EOK) { ++ return ret; ++ } + } + + ret = sysdb_attrs_add_string(state->defaults, +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name, + * the directories are created with the expected permissions + */ + old_mask = umask(0); +- ret = set_seuser(login_name, seuser_name, mls); ++ if (strcmp(seuser_name, "") == 0) { ++ /* An empty SELinux user should cause SSSD to use the system ++ * default. We need to remove the SELinux user from the DB ++ * in that case ++ */ ++ ret = del_seuser(login_name); ++ } else { ++ ret = set_seuser(login_name, seuser_name, mls); ++ } + umask(old_mask); + return ret; + } +-- +2.3.3 + diff --git a/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch b/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch new file mode 100644 index 0000000..28c1443 --- /dev/null +++ b/0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch @@ -0,0 +1,82 @@ +From 4c047cc4720227ca7ad80f02546493ba6e0199ef Mon Sep 17 00:00:00 2001 +From: Jakub Hrozek +Date: Thu, 12 Mar 2015 16:31:13 +0100 +Subject: [PATCH 17/17] selinux: Handle setup with empty default and no + configured rules +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +SSSD also needs to handle the setup where no rules match the machine and +the default has no MLS component. + +Related to: +https://fedorahosted.org/sssd/ticket/2587 + +Reviewed-by: Michal Židek +(cherry picked from commit 3e6dac8e14f8a3da6d359ee013453dbd8a38dd99) +--- + src/providers/ipa/ipa_selinux.c | 4 ++-- + src/providers/ipa/selinux_child.c | 10 ++++++++-- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c +index 00c793a2643b51e59884730fa4f0ba3c7ed1bea6..cdb0dfa388eb3743e0b937befd63cf05ae94b71e 100644 +--- a/src/providers/ipa/ipa_selinux.c ++++ b/src/providers/ipa/ipa_selinux.c +@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, + { + errno_t ret; + char *seuser; +- char *mls_range; ++ const char *mls_range; + char *ptr; + char *username; + char *username_final; +@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx, + } + if (*ptr == '\0') { + /* No mls_range specified */ +- mls_range = NULL; ++ mls_range = ""; + } else { + *ptr = '\0'; /* split */ + mls_range = ptr + 1; +diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c +index 3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa 100644 +--- a/src/providers/ipa/selinux_child.c ++++ b/src/providers/ipa/selinux_child.c +@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len); + if (len == 0) { +- return EINVAL; ++ ibuf->seuser = ""; ++ DEBUG(SSSDBG_TRACE_INTERNAL, ++ "Empty SELinux user, will delete the mapping\n"); + } else { + if ((p + len ) > size) return EINVAL; + ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len); +@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len); + if (len == 0) { +- return EINVAL; ++ if (strcmp(ibuf->seuser, "") != 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n"); ++ return EINVAL; ++ } + } else { + if ((p + len ) > size) return EINVAL; + ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len); +@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf, + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len); + if (len == 0) { ++ DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n"); + return EINVAL; + } else { + if ((p + len ) > size) return EINVAL; +-- +2.3.3 + diff --git a/sssd.spec b/sssd.spec index 7f959cc..4e2b17e 100644 --- a/sssd.spec +++ b/sssd.spec @@ -27,7 +27,7 @@ Name: sssd Version: 1.12.4 -Release: 4%{?dist} +Release: 5%{?dist} Group: Applications/System Summary: System Security Services Daemon License: GPLv3+ @@ -51,6 +51,8 @@ Patch0012: 0012-BUILD-Add-possibility-to-build-python-2-3-bindings.patch Patch0013: 0013-TESTS-Run-python-tests-with-all-supported-python-ver.patch Patch0014: 0014-SPEC-Replace-python_-macros-with-python2_.patch Patch0015: 0015-SPEC-Build-python3-bindings-on-available-platforms.patch +Patch0016: 0016-selinux-Delete-existing-user-mapping-on-empty-defaul.patch +Patch0017: 0017-selinux-Handle-setup-with-empty-default-and-no-confi.patch ### Dependencies ### Requires: sssd-common = %{version}-%{release} @@ -1019,6 +1021,11 @@ if [ $1 -eq 0 ]; then fi %changelog +* Mon Mar 23 2015 Lukas Slebodnik - 1.12.4-5 +- Fix regressions with ipa and SELinux +- Resolves: upstream #2587 - With empty ipaselinuxusermapdefault security + context on client is staff_u + * Fri Mar 6 2015 Jakub Hrozek - 1.12.4-4 - Also relax libldb Requires - Remove --enable-ldb-version-check