IPA: Move setting the SELinux context to a child process

In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <[email protected]>
SSSD · Nov 5, 2014 · f3a2594 · f3a2594
1 parent 77b1337
commit f3a2594
Show file tree

Hide file tree

Showing 6 changed files with 691 additions and 20 deletions.
diff --git a/Makefile.am b/Makefile.am
@@ -146,6 +146,9 @@ endif
 if BUILD_SAMBA
 sssdlibexec_PROGRAMS += gpo_child
 endif
+if BUILD_SEMANAGE
+sssdlibexec_PROGRAMS += selinux_child
+endif
 
 
 if BUILD_PAC_RESPONDER
@@ -2531,6 +2534,26 @@ ldap_child_LDADD = \
     $(DHASH_LIBS) \
     $(KRB5_LIBS)
 
+if BUILD_SEMANAGE
+selinux_child_SOURCES = \
+    src/providers/ipa/selinux_child.c \
+    src/util/sss_semanage.c \
+    src/util/atomic_io.c \
+    src/util/util.c \
+    $(NULL)
+selinux_child_CFLAGS = \
+    $(AM_CFLAGS) \
+    $(POPT_CFLAGS) \
+    $(NULL)
+selinux_child_LDADD = \
+    libsss_debug.la \
+    $(TALLOC_LIBS) \
+    $(POPT_LIBS) \
+    $(DHASH_LIBS) \
+    $(SEMANAGE_LIBS) \
+    $(NULL)
+endif
+
 gpo_child_SOURCES = \
     src/providers/ad/ad_gpo_child.c \
     src/util/atomic_io.c \
@@ -2849,6 +2872,10 @@ endif
 if SSSD_USER
 	chgrp $(SSSD_USER) $(sssdlibexecdir)/ldap_child
 	chmod 4750 $(sssdlibexecdir)/ldap_child
+if BUILD_SEMANAGE
+	chgrp $(SSSD_USER) $(sssdlibexecdir)/selinux_child
+	chmod 4750 $(sssdlibexecdir)/selinux_child
+endif
 endif
 
 install-data-hook:

diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
@@ -665,6 +665,7 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING
 %attr(755,root,root) %dir %{pubconfpath}/krb5.include.d
 %{_libdir}/%{name}/libsss_ipa.so
+%attr(4750,root,sssd) %{_libexecdir}/%{servicename}/selinux_child
 %{_mandir}/man5/sssd-ipa.5*
 
 %files ad -f sssd_ad.lang