From a77f0b5c39b1f6c497b2b5c6c072d2f4f6e7a745 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Mon, 26 Jan 2015 15:15:29 +0100

Subject: [PATCH 182/183] SELINUX: Call setuid(0)/setgid(0) to also set the

 real IDs to root

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

https://fedorahosted.org/sssd/ticket/2564

libselinux uses many access(2) calls and access() uses the real UID,

not the effective UID for the check. Therefore, the setuid selinux_child,

which only has effective UID of root would fail the check.

Reviewed-by: Michal Židek <mzidek@redhat.com>

(cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)

---

 src/providers/ipa/selinux_child.c | 18 +++++++++++++++++-

 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c

index a38ffcb26f890349f47478063103e603fe6304cf..bda89c847dc160e1d667d333ee515cf7260e7db8 100644

--- a/src/providers/ipa/selinux_child.c

+++ b/src/providers/ipa/selinux_child.c

@@ -197,7 +197,23 @@ int main(int argc, const char *argv[])

     DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");

     DEBUG(SSSDBG_TRACE_INTERNAL,

-          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());

+          "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",

+          geteuid(), getegid());

+

+    /* libsemanage calls access(2) which works with real IDs, not effective.

+     * We need to switch also the real ID to 0.

+     */

+    if (getuid() != 0) {

+        setuid(0);

+    }

+

+    if (getgid() != 0) {

+        setgid(0);

+    }

+

+    DEBUG(SSSDBG_TRACE_INTERNAL,

+          "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n",

+          getuid(), getgid());

     main_ctx = talloc_new(NULL);

     if (main_ctx == NULL) {

-- 

2.1.0