|
 |
905b4d |
From 20dd4c33d226862d124b2f010181550e820df5f8 Mon Sep 17 00:00:00 2001
|
|
|
905b4d |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
905b4d |
Date: Tue, 27 Jan 2015 11:12:18 +0100
|
|
|
905b4d |
Subject: [PATCH 183/183] SELINUX: Set and reset umask when caling set_seuser
|
|
|
905b4d |
from deamon code
|
|
|
905b4d |
MIME-Version: 1.0
|
|
|
905b4d |
Content-Type: text/plain; charset=UTF-8
|
|
|
905b4d |
Content-Transfer-Encoding: 8bit
|
|
|
905b4d |
|
|
|
905b4d |
https://fedorahosted.org/sssd/ticket/2563
|
|
|
905b4d |
|
|
|
905b4d |
Reviewed-by: Michal Židek <mzidek@redhat.com>
|
|
|
905b4d |
(cherry picked from commit 8f78b6442f3176ee43aa06704a3adb9f4ac625d6)
|
|
|
905b4d |
---
|
|
|
905b4d |
src/providers/ipa/selinux_child.c | 18 +++++++++++++++++-
|
|
|
905b4d |
src/util/util.h | 4 ++++
|
|
|
905b4d |
2 files changed, 21 insertions(+), 1 deletion(-)
|
|
|
905b4d |
|
|
|
905b4d |
diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
|
|
|
905b4d |
index bda89c847dc160e1d667d333ee515cf7260e7db8..d4670389667607972dd6f072b5ddfda5973e082b 100644
|
|
|
905b4d |
--- a/src/providers/ipa/selinux_child.c
|
|
|
905b4d |
+++ b/src/providers/ipa/selinux_child.c
|
|
|
905b4d |
@@ -135,6 +135,22 @@ static errno_t prepare_response(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
return EOK;
|
|
|
905b4d |
}
|
|
|
905b4d |
|
|
|
905b4d |
+static int sc_set_seuser(const char *login_name, const char *seuser_name,
|
|
|
905b4d |
+ const char *mls)
|
|
|
905b4d |
+{
|
|
|
905b4d |
+ int ret;
|
|
|
905b4d |
+ mode_t old_mask;
|
|
|
905b4d |
+
|
|
|
905b4d |
+ /* This is a workaround for
|
|
|
905b4d |
+ * https://bugzilla.redhat.com/show_bug.cgi?id=1186422 to make sure
|
|
|
905b4d |
+ * the directories are created with the expected permissions
|
|
|
905b4d |
+ */
|
|
|
905b4d |
+ old_mask = umask(0);
|
|
|
905b4d |
+ ret = set_seuser(login_name, seuser_name, mls);
|
|
|
905b4d |
+ umask(old_mask);
|
|
|
905b4d |
+ return ret;
|
|
|
905b4d |
+}
|
|
|
905b4d |
+
|
|
|
905b4d |
int main(int argc, const char *argv[])
|
|
|
905b4d |
{
|
|
|
905b4d |
int opt;
|
|
|
905b4d |
@@ -256,7 +272,7 @@ int main(int argc, const char *argv[])
|
|
|
905b4d |
|
|
|
905b4d |
DEBUG(SSSDBG_TRACE_FUNC, "performing selinux operations\n");
|
|
|
905b4d |
|
|
|
905b4d |
- ret = set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
|
|
|
905b4d |
+ ret = sc_set_seuser(ibuf->username, ibuf->seuser, ibuf->mls_range);
|
|
|
905b4d |
if (ret != EOK) {
|
|
|
905b4d |
DEBUG(SSSDBG_CRIT_FAILURE, "Cannot set SELinux login context.\n");
|
|
|
905b4d |
goto fail;
|
|
|
905b4d |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
905b4d |
index 23624c8156a053bc6c30bda9796029af3da62d3a..bf3a9a057aed77e93949370f8651af2631d91432 100644
|
|
|
905b4d |
--- a/src/util/util.h
|
|
|
905b4d |
+++ b/src/util/util.h
|
|
|
905b4d |
@@ -628,6 +628,10 @@ errno_t switch_creds(TALLOC_CTX *mem_ctx,
|
|
|
905b4d |
errno_t restore_creds(struct sss_creds *saved_creds);
|
|
|
905b4d |
|
|
|
905b4d |
/* from sss_semanage.c */
|
|
|
905b4d |
+/* Please note that libsemange relies on files and directories created with
|
|
|
905b4d |
+ * certain permissions. Therefore the caller should make sure the umask is
|
|
|
905b4d |
+ * not too restricted (especially when called from the daemon code).
|
|
|
905b4d |
+ */
|
|
|
905b4d |
int set_seuser(const char *login_name, const char *seuser_name,
|
|
|
905b4d |
const char *mlsrange);
|
|
|
905b4d |
int del_seuser(const char *login_name);
|
|
|
905b4d |
--
|
|
|
905b4d |
2.1.0
|
|
|
905b4d |
|