Hi, I'm still working on the SELinux provider unit tests, but mocking the interfaces it uses turned out to be more work than I anticipated, so I'm sending the patch without a test for now and will send the test asynchronously.
>From 81b5c69160542917910f2ed1ef41c5970596a4d1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Fri, 13 Feb 2015 17:57:35 +0100 Subject: [PATCH] selinux: Delete existing user mapping on empty default
https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. --- src/providers/ipa/ipa_selinux.c | 14 ++++++++------ src/providers/ipa/selinux_child.c | 10 +++++++++- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 4286eb1630f16d4b43e8fd83a0e1dcf401d0a3d1..50ff840560b38a0e2537b61df00191278d346ff2 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -749,7 +749,7 @@ static errno_t choose_best_seuser(TALLOC_CTX *mem_ctx, /* If no maps match, we'll use the default SELinux user from the * config */ - seuser_mls_str = talloc_strdup(tmp_ctx, default_user); + seuser_mls_str = talloc_strdup(tmp_ctx, default_user ? default_user : ""); if (seuser_mls_str == NULL) { ret = ENOMEM; goto done; @@ -1373,11 +1373,13 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) return ENOMEM; } - ret = sysdb_attrs_add_string(state->defaults, - IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, - default_user); - if (ret != EOK) { - return ret; + if (default_user) { + ret = sysdb_attrs_add_string(state->defaults, + IPA_CONFIG_SELINUX_DEFAULT_USER_CTX, + default_user); + if (ret != EOK) { + return ret; + } } ret = sysdb_attrs_add_string(state->defaults, diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c index 63d4b929786d4b8cc0d40f0c65009673c7309094..3756557a5e28624e6437e805ca8a387d2f65dd1f 100644 --- a/src/providers/ipa/selinux_child.c +++ b/src/providers/ipa/selinux_child.c @@ -146,7 +146,15 @@ static int sc_set_seuser(const char *login_name, const char *seuser_name, * the directories are created with the expected permissions */ old_mask = umask(0); - ret = set_seuser(login_name, seuser_name, mls); + if (strcmp(seuser_name, "") == 0) { + /* An empty SELinux user should cause SSSD to use the system + * default. We need to remove the SELinux user from the DB + * in that case + */ + ret = del_seuser(login_name); + } else { + ret = set_seuser(login_name, seuser_name, mls); + } umask(old_mask); return ret; } -- 2.1.0
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
