From 6772568c21cbea19c63ff047a5f668dc3372a114 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Jan 27 2015 17:07:25 +0000
Subject: SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root


https://fedorahosted.org/sssd/ticket/2564

libselinux uses many access(2) calls and access() uses the real UID,
not the effective UID for the check. Therefore, the setuid selinux_child,
which only has effective UID of root would fail the check.

Reviewed-by: Michal Židek <mzidek@redhat.com>
(cherry picked from commit 486f0d5227a9b81815aaaf7d9a2c39aafcbfdf6a)

---

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index cb6f964..6390d43 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -197,7 +197,23 @@ int main(int argc, const char *argv[])
 
     DEBUG(SSSDBG_TRACE_FUNC, "selinux_child started.\n");
     DEBUG(SSSDBG_TRACE_INTERNAL,
-          "Running as [%"SPRIuid"][%"SPRIgid"].\n", geteuid(), getegid());
+          "Running with effective IDs: [%"SPRIuid"][%"SPRIgid"].\n",
+          geteuid(), getegid());
+
+    /* libsemanage calls access(2) which works with real IDs, not effective.
+     * We need to switch also the real ID to 0.
+     */
+    if (getuid() != 0) {
+        setuid(0);
+    }
+
+    if (getgid() != 0) {
+        setgid(0);
+    }
+
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "Running with real IDs [%"SPRIuid"][%"SPRIgid"].\n",
+          getuid(), getgid());
 
     main_ctx = talloc_new(NULL);
     if (main_ctx == NULL) {