[SSSD] [PATCH] selinux: Handle setup with empty default and no configured rules

Thu, 12 Mar 2015 08:41:25 -0700 

To reproduce, set the default context to an empty string ("") but also
remove any configured SELinux maps from the IPA server.

>From e190c2ec1946a45b3809ac8f74c2199ea4ef6aad Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 12 Mar 2015 16:31:13 +0100
Subject: [PATCH] selinux: Handle setup with empty default and no configured
 rules

SSSD also needs to handle the setup where no rules match the machine and
the default has no MLS component.

Related to:
https://fedorahosted.org/sssd/ticket/2587
---
 src/providers/ipa/ipa_selinux.c   |  4 ++--
 src/providers/ipa/selinux_child.c | 10 ++++++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 
50ff840560b38a0e2537b61df00191278d346ff2..95a9efabfb6dd9af6fc62e7ab8699941bdb20ca9
 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -808,7 +808,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
 {
     errno_t ret;
     char *seuser;
-    char *mls_range;
+    const char *mls_range;
     char *ptr;
     char *username;
     char *username_final;
@@ -834,7 +834,7 @@ selinux_child_setup(TALLOC_CTX *mem_ctx,
     }
     if (*ptr == '\0') {
         /* No mls_range specified */
-        mls_range = NULL;
+        mls_range = "";
     } else {
         *ptr = '\0'; /* split */
         mls_range = ptr + 1;
diff --git a/src/providers/ipa/selinux_child.c 
b/src/providers/ipa/selinux_child.c
index 
3756557a5e28624e6437e805ca8a387d2f65dd1f..81c1de877ef08a299d07837fefcd195d465849fa
 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -49,7 +49,9 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "seuser length: %d\n", len);
     if (len == 0) {
-        return EINVAL;
+        ibuf->seuser = "";
+        DEBUG(SSSDBG_TRACE_INTERNAL,
+              "Empty SELinux user, will delete the mapping\n");
     } else {
         if ((p + len ) > size) return EINVAL;
         ibuf->seuser = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -62,7 +64,10 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "mls_range length: %d\n", len);
     if (len == 0) {
-        return EINVAL;
+        if (strcmp(ibuf->seuser, "") != 0) {
+            DEBUG(SSSDBG_CRIT_FAILURE, "No MLS mapping!\n");
+            return EINVAL;
+        }
     } else {
         if ((p + len ) > size) return EINVAL;
         ibuf->mls_range = talloc_strndup(ibuf, (char *)(buf + p), len);
@@ -75,6 +80,7 @@ static errno_t unpack_buffer(uint8_t *buf,
     SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p);
     DEBUG(SSSDBG_TRACE_INTERNAL, "username length: %d\n", len);
     if (len == 0) {
+        DEBUG(SSSDBG_CRIT_FAILURE, "No username set!\n");
         return EINVAL;
     } else {
         if ((p + len ) > size) return EINVAL;
-- 
2.1.0


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to