SSSD / sssd

Clone

1e81d04 SELINUX: Also call is_selinux_enabled as a check for selinux child

1 file Authored by jhrozek 5 years ago, Committed by fidencio 5 years ago,
raw patch tree parent
1 file changed. 4 lines added. 0 lines removed.
src/util/sss_semanage.c
file modified
+4 -0 
    SELINUX: Also call is_selinux_enabled as a check for selinux child
    
    Resolves:
    https://pagure.io/SSSD/sssd/issue/3796
    
    The SSSD selinux management routines were only checking if SELinux is
    managed on the system. If it is managed, the code tries to proceed and
    set the login context, otherwise an error is returned which SSSD handles
    gracefully.
    
    But this is not enough, in some cases SELinux might be disabled, but
    managed and in these cases SSSD was returning strange errors, which
    might have prevented login with selinux provider in effect.
    
    We got this hint form the RH SELinux maintainer:
    """
    libsemanage is for managing SELinux infrastructure. generally if there's
    /etc/selinux/config where libsemanage can read SELINUXTYPE and SELinux
    module store - /etc/selinux/<SELINUXTYPE>/active (or
    /var/lib/selinux/<SELINUXTYPE>/active) - is available, libsemanage can
    manage it even when SELinux is disabled.
    
    I'm not sure if selinux_child doesn any is_selinux_enabled() checks but
    it could help to avoid such situations.
    """
    
    Reviewed-by: Fabiano FidĂȘncio <fidencio@redhat.com>
file modified
+4 -0
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.