From 0006bd76856787614f961001929fea95d0669fe5 Mon Sep 17 00:00:00 2001

From: Justin Stephenson <jstephen@redhat.com>

Date: Thu, 9 Mar 2017 17:21:37 -0500

Subject: [PATCH 203/205] SELINUX: Use getseuserbyname to get IPA seuser

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

The libselinux function getseuserbyname is more reliable method to retrieve

SELinux usernames then functions from libsemanage `semanage_user_query`

and is recommended by libsemanage developers.

Replace get_seuser function with getseuserbyname.

Resolves:

https://pagure.io/SSSD/sssd/issue/3308

Reviewed-by: Michal Židek <mzidek@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

Reviewed-by: Petr Lautrbach <plautrba@redhat.com>

(cherry picked from commit cfe87ca0c4fded9cbf907697d08fa0e6c8f8ebce)

---

 Makefile.am                       |  1 +

 src/providers/ipa/selinux_child.c | 12 +++----

 src/util/sss_semanage.c           | 73 ---------------------------------------

 src/util/util.h                   |  2 --

 4 files changed, 7 insertions(+), 81 deletions(-)

diff --git a/Makefile.am b/Makefile.am

index cdd517d50679b876814303fb7d6c63d49bcd8d38..1eb398830e4817d4da0878a6577b45df101e920d 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -4094,6 +4094,7 @@ selinux_child_LDADD = \

     $(POPT_LIBS) \

     $(DHASH_LIBS) \

     $(SEMANAGE_LIBS) \

+    $(SELINUX_LIBS) \

     $(NULL)

 endif

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c

index f8dd3954a7244df2dcbb910aabf8888f41306c09..073475094ee491bd5453898c6ba65214fa14fe59 100644

--- a/src/providers/ipa/selinux_child.c

+++ b/src/providers/ipa/selinux_child.c

@@ -27,6 +27,7 @@

 #include <unistd.h>

 #include <sys/stat.h>

 #include <popt.h>

+#include <selinux/selinux.h>

 #include "util/util.h"

 #include "util/child_common.h"

@@ -172,11 +173,10 @@ static bool seuser_needs_update(struct input_buffer *ibuf)

     char *db_mls_range = NULL;

     errno_t ret;

-    ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);

+    ret = getseuserbyname(ibuf->username, &db_seuser, &db_mls_range);

     DEBUG(SSSDBG_TRACE_INTERNAL,

-          "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",

-          ret, sss_strerror(ret),

-          db_seuser ? db_seuser : "unknown",

+          "getseuserbyname: ret: %d seuser: %s mls: %s\n",

+          ret, db_seuser ? db_seuser : "unknown",

           db_mls_range ? db_mls_range : "unknown");

     if (ret == EOK && db_seuser && db_mls_range &&

             strcmp(db_seuser, ibuf->seuser) == 0 &&

@@ -188,8 +188,8 @@ static bool seuser_needs_update(struct input_buffer *ibuf)

         needs_update = false;

     }

-    talloc_free(db_seuser);

-    talloc_free(db_mls_range);

+    free(db_seuser);

+    free(db_mls_range);

     return needs_update;

 }

diff --git a/src/util/sss_semanage.c b/src/util/sss_semanage.c

index 0da97aad4d8eba733b131c2749932e03ca4242c4..37278cc986a1ea49dc2218a635d52b9d54ca089d 100644

--- a/src/util/sss_semanage.c

+++ b/src/util/sss_semanage.c

@@ -382,73 +382,6 @@ done:

     sss_semanage_close(handle);

     return ret;

 }

-

-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,

-               char **_seuser, char **_mls_range)

-{

-    errno_t ret;

-    const char *seuser;

-    const char *mls_range;

-    semanage_handle_t *sm_handle = NULL;

-    semanage_seuser_t *sm_user = NULL;

-    semanage_seuser_key_t *sm_key = NULL;

-

-    ret = sss_semanage_init(&sm_handle);

-    if (ret == ERR_SELINUX_NOT_MANAGED) {

-        goto done;

-    } else if (ret != EOK) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");

-        goto done;

-    }

-

-    ret = semanage_seuser_key_create(sm_handle, login_name, &sm_key);

-    if (ret != EOK) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create key for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    ret = semanage_seuser_query(sm_handle, sm_key, &sm_user);

-    if (ret < 0) {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot query for %s\n", login_name);

-        ret = EIO;

-        goto done;

-    }

-

-    seuser = semanage_seuser_get_sename(sm_user);

-    if (seuser != NULL) {

-        *_seuser = talloc_strdup(mem_ctx, seuser);

-        if (*_seuser == NULL) {

-            ret = ENOMEM;

-            goto done;

-        }

-        DEBUG(SSSDBG_OP_FAILURE,

-              "SELinux user for %s: %s\n", login_name, *_seuser);

-    } else {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get sename for %s\n", login_name);

-    }

-

-    mls_range = semanage_seuser_get_mlsrange(sm_user);

-    if (mls_range != NULL) {

-        *_mls_range = talloc_strdup(mem_ctx, mls_range);

-        if (*_mls_range == NULL) {

-            ret = ENOMEM;

-            goto done;

-        }

-        DEBUG(SSSDBG_OP_FAILURE,

-              "SELinux range for %s: %s\n", login_name, *_mls_range);

-    } else {

-        DEBUG(SSSDBG_CRIT_FAILURE, "Cannot get mlsrange for %s\n", login_name);

-    }

-

-    ret = EOK;

-done:

-    semanage_seuser_key_free(sm_key);

-    semanage_seuser_free(sm_user);

-    sss_semanage_close(sm_handle);

-    return ret;

-}

-

 #else /* HAVE_SEMANAGE */

 int set_seuser(const char *login_name, const char *seuser_name,

                const char *mls)

@@ -460,10 +393,4 @@ int del_seuser(const char *login_name)

 {

     return EOK;

 }

-

-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,

-               char **_seuser, char **_mls_range)

-{

-    return EOK;

-}

 #endif  /* HAVE_SEMANAGE */

diff --git a/src/util/util.h b/src/util/util.h

index 72d4116e1206e9cc69715edc45bf5b9b91e37e6b..1719d8eec1b6b05877b9be3382589e442bff85be 100644

--- a/src/util/util.h

+++ b/src/util/util.h

@@ -658,8 +658,6 @@ errno_t restore_creds(struct sss_creds *saved_creds);

 int set_seuser(const char *login_name, const char *seuser_name,

                const char *mlsrange);

 int del_seuser(const char *login_name);

-int get_seuser(TALLOC_CTX *mem_ctx, const char *login_name,

-               char **_seuser, char **_mls_range);

 /* convert time from generalized form to unix time */

 errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);

-- 

2.14.3