util: Add sss_ prefix to some functions Add sss_ prefix to del_seuser and set_seuser for consistency with sss_get_seuser. Also sss_ prefix makes it clear that these functions come from SSSD. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618

SELINUX: Check if SELinux is managed in selinux_child If SELinux policy is not managed at all, don't call any SELinux user handling functions and instead return that no update is needed. Pair-Programmed-With: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618

CHILD: Pass information about logger to children Variables debug_to_file or debug_to_stderr were not set because back-end already user parameter --logger=%s. And therefore logs were not sent to files. It could only work in case of direct usage of --debug-to-files in back-end via command configuration option. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Add parameter --logger to daemons Different binary handled information about logging differently e,g, --debug-to-files --debug-to-stderr And logging to journald was a special case of previous options (!debug_file && !debug_to_stderr). It was also tied to the monitor option "--daemon" and therefore loggind to stderr was used in interactive mode + systemd Type=notify. Resolves: https://pagure.io/SSSD/sssd/issue/3433 Reviewed-by: Justin Stephenson <jstephen@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

SELINUX: Use getseuserbyname to get IPA seuser The libselinux function getseuserbyname is more reliable method to retrieve SELinux usernames then functions from libsemanage `semanage_user_query` and is recommended by libsemanage developers. Replace get_seuser function with getseuserbyname. Resolves: https://pagure.io/SSSD/sssd/issue/3308 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Petr Lautrbach <plautrba@redhat.com>

selinux: Do not fail if SELinux is not managed Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

Rename dp_backend.h to backend.h Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

sssd: incorrect checks on length values during packet decoding https://fedorahosted.org/sssd/ticket/1697 It is safer to isolate the checked (unknown/untrusted) value on the left hand side in the conditions to avoid overflows/underflows. Reviewed-by: Petr Cech <pcech@redhat.com>

selinux: Only call semanage if the context actually changes https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>

selinux: Handle setup with empty default and no configured rules SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com>

selinux: Delete existing user mapping on empty default https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>

SELINUX: Check the return value of setuid and setgid Silences a Coverity warning Reviewed-by: Pavel Reichl <preichl@redhat.com>

SELINUX: Set and reset umask when caling set_seuser from deamon code https://fedorahosted.org/sssd/ticket/2563 Reviewed-by: Michal Židek <mzidek@redhat.com>

SELINUX: Call setuid(0)/setgid(0) to also set the real IDs to root https://fedorahosted.org/sssd/ticket/2564 libselinux uses many access(2) calls and access() uses the real UID, not the effective UID for the check. Therefore, the setuid selinux_child, which only has effective UID of root would fail the check. Reviewed-by: Michal Židek <mzidek@redhat.com>

sss_atomic_write_s() return value is signed Reviewed-by: Sumit Bose <sbose@redhat.com>

selinux_child: Do not ignore return values. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

IPA: Move setting the SELinux context to a child process In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>