Commit 78a08d3 selinux: Do not fail if SELinux is not managed

5 files Authored by mzidek a year ago , Committed by lslebodn a year ago ,
selinux: Do not fail if SELinux is not managed

Previously we failed if semanage_is_managed returned 0 or -1 (not
managed or error). With this patch we only fail in case of error and
continue normally if selinux is not managed by libsemanage at all.

Resolves:
https://fedorahosted.org/sssd/ticket/3297

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

    
1 @@ -4040,6 +4040,7 @@
2       src/util/atomic_io.c \
3       src/util/util.c \
4       src/util/util_ext.c \
5 +     src/util/util_errors.c
6       $(NULL)
7   selinux_child_CFLAGS = \
8       $(AM_CFLAGS) \
 1 @@ -174,14 +174,19 @@
 2   
 3       ret = get_seuser(ibuf, ibuf->username, &db_seuser, &db_mls_range);
 4       DEBUG(SSSDBG_TRACE_INTERNAL,
 5 -           "get_seuser: ret: %d seuser: %s mls: %s\n",
 6 -           ret, db_seuser ? db_seuser : "unknown",
 7 +           "get_seuser: ret: %d msg: [%s] seuser: %s mls: %s\n",
 8 +           ret, sss_strerror(ret),
 9 +           db_seuser ? db_seuser : "unknown",
10             db_mls_range ? db_mls_range : "unknown");
11       if (ret == EOK && db_seuser && db_mls_range &&
12               strcmp(db_seuser, ibuf->seuser) == 0 &&
13               strcmp(db_mls_range, ibuf->mls_range) == 0) {
14           needs_update = false;
15       }
16 +     /* OR */
17 +     if (ret == ERR_SELINUX_NOT_MANAGED) {
18 +         needs_update = false;
19 +     }
20   
21       talloc_free(db_seuser);
22       talloc_free(db_mls_range);
  1 @@ -73,7 +73,7 @@
  2       semanage_handle_destroy(handle);
  3   }
  4   
  5 - static semanage_handle_t *sss_semanage_init(void)
  6 + static int sss_semanage_init(semanage_handle_t **_handle)
  7   {
  8       int ret;
  9       semanage_handle_t *handle = NULL;
 10 @@ -81,7 +81,8 @@
 11       handle = semanage_handle_create();
 12       if (!handle) {
 13           DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux management handle\n");
 14 -         return NULL;
 15 +         ret = EIO;
 16 +         goto done;
 17       }
 18   
 19       semanage_msg_set_callback(handle,
 20 @@ -89,28 +90,41 @@
 21                                 NULL);
 22   
 23       ret = semanage_is_managed(handle);
 24 -     if (ret != 1) {
 25 -         DEBUG(SSSDBG_CRIT_FAILURE, "SELinux policy not managed\n");
 26 -         goto fail;
 27 +     if (ret == 0) {
 28 +         DEBUG(SSSDBG_TRACE_FUNC, "SELinux policy not managed via libsemanage\n");
 29 +         ret = ERR_SELINUX_NOT_MANAGED;
 30 +         goto done;
 31 +     } else if (ret == -1) {
 32 +         DEBUG(SSSDBG_CRIT_FAILURE, "Call to semanage_is_managed failed\n");
 33 +         ret = EIO;
 34 +         goto done;
 35       }
 36   
 37       ret = semanage_access_check(handle);
 38       if (ret < SEMANAGE_CAN_READ) {
 39           DEBUG(SSSDBG_CRIT_FAILURE, "Cannot read SELinux policy store\n");
 40 -         goto fail;
 41 +         ret = EACCES;
 42 +         goto done;
 43       }
 44   
 45       ret = semanage_connect(handle);
 46       if (ret != 0) {
 47           DEBUG(SSSDBG_CRIT_FAILURE,
 48                 "Cannot estabilish SELinux management connection\n");
 49 -         goto fail;
 50 +         ret = EIO;
 51 +         goto done;
 52       }
 53   
 54 -     return handle;
 55 - fail:
 56 -     sss_semanage_close(handle);
 57 -     return NULL;
 58 +     ret = EOK;
 59 + 
 60 + done:
 61 +     if (ret != EOK) {
 62 +         sss_semanage_close(handle);
 63 +     } else {
 64 +         *_handle = handle;
 65 +     }
 66 + 
 67 +     return ret;
 68   }
 69   
 70   static int sss_semanage_user_add(semanage_handle_t *handle,
 71 @@ -228,10 +242,11 @@
 72           return EOK;
 73       }
 74   
 75 -     handle = sss_semanage_init();
 76 -     if (!handle) {
 77 -         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
 78 -         ret = EIO;
 79 +     ret = sss_semanage_init(&handle);
 80 +     if (ret == ERR_SELINUX_NOT_MANAGED) {
 81 +         goto done;
 82 +     } else if (ret != EOK) {
 83 +         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
 84           goto done;
 85       }
 86   
 87 @@ -295,10 +310,11 @@
 88       int ret;
 89       int exists = 0;
 90   
 91 -     handle = sss_semanage_init();
 92 -     if (!handle) {
 93 -         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot init SELinux management\n");
 94 -         ret = EIO;
 95 +     ret = sss_semanage_init(&handle);
 96 +     if (ret == ERR_SELINUX_NOT_MANAGED) {
 97 +         goto done;
 98 +     } else if (ret != EOK) {
 99 +         DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
100           goto done;
101       }
102   
103 @@ -377,10 +393,11 @@
104       semanage_seuser_t *sm_user = NULL;
105       semanage_seuser_key_t *sm_key = NULL;
106   
107 -     sm_handle = sss_semanage_init();
108 -     if (sm_handle == NULL) {
109 +     ret = sss_semanage_init(&sm_handle);
110 +     if (ret == ERR_SELINUX_NOT_MANAGED) {
111 +         goto done;
112 +     } else if (ret != EOK) {
113           DEBUG(SSSDBG_CRIT_FAILURE, "Cannot create SELinux handle\n");
114 -         ret = EIO;
115           goto done;
116       }
117   
1 @@ -75,6 +75,7 @@
2       { "Cannot connect to system bus" }, /* ERR_NO_SYSBUS */
3       { "LDAP search returned a referral" }, /* ERR_REFERRAL */
4       { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
5 +     { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
6       { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
7       { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
8       { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */
1 @@ -97,6 +97,7 @@
2       ERR_NO_SYSBUS,
3       ERR_REFERRAL,
4       ERR_SELINUX_CONTEXT,
5 +     ERR_SELINUX_NOT_MANAGED,
6       ERR_REGEX_NOMATCH,
7       ERR_TIMESPEC_NOT_SUPPORTED,
8       ERR_INVALID_CONFIG,