util: Add sss_ prefix to some functions Add sss_ prefix to del_seuser and set_seuser for consistency with sss_get_seuser. Also sss_ prefix makes it clear that these functions come from SSSD. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618

SELINUX: Check if SELinux is managed in selinux_child If SELinux policy is not managed at all, don't call any SELinux user handling functions and instead return that no update is needed. Pair-Programmed-With: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com> Resolves: https://pagure.io/SSSD/sssd/issue/3618

SELINUX: Use getseuserbyname to get IPA seuser The libselinux function getseuserbyname is more reliable method to retrieve SELinux usernames then functions from libsemanage `semanage_user_query` and is recommended by libsemanage developers. Replace get_seuser function with getseuserbyname. Resolves: https://pagure.io/SSSD/sssd/issue/3308 Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Petr Lautrbach <plautrba@redhat.com>

selinux: Do not fail if SELinux is not managed Previously we failed if semanage_is_managed returned 0 or -1 (not managed or error). With this patch we only fail in case of error and continue normally if selinux is not managed by libsemanage at all. Resolves: https://fedorahosted.org/sssd/ticket/3297 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

DEBUG: Apend line feed to messages from libsemanage It wasn't simple to read log files from libsemanage because they were on single line. Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>

Remove braces from DEBUG statements Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

UTIL: Allow to append new line in sss_vdebug_fn libldb is not consistent with appending line feed in debug messages. AS a result of this two messages can be on the same line in sssd log files. Which makes analyzing log files more difficult. Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Use sss_vdebug_fn for callbacks Reviewed-by: Pavel Březina <pbrezina@redhat.com>

UTIL: Use prefix for debug function Reviewed-by: Pavel Březina <pbrezina@redhat.com>

SELINUX: Avoid disconnecting disconnected handle Resolves: https://fedorahosted.org/sssd/ticket/2649 libsemanage is very strict about its API usage and actually doesn't allow disconnecting a handle that is not connected. The unpatched code would fail with: selinux_child: handle.c:231: semanage_disconnect: Assertion `sh != ((void *)0) && sh->funcs != ((void *)0) && sh->funcs->disconnect != ((void *)0)' failed. If semanage_connect() failed. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

selinux: Only call semanage if the context actually changes https://fedorahosted.org/sssd/ticket/2624 Add a function to query the libsemanage database for a user context and only update the database if the context differes from the one set on the server. Adds talloc dependency to libsss_semanage. Reviewed-by: Michal Židek <mzidek@redhat.com>

selinux: Begin and end the transaction on the same nesting level Transaction should be started and commited on the same code nesting or abstraction level. Also, transactions are really costly with libselinux and splitting them from initialization will make init function reusable by read-only libsemanage functions. Reviewed-by: Michal Židek <mzidek@redhat.com>

selinux: Disconnect before closing the handle libsemanage documentation says: ~~~~ be sure that a semanage_disconnect() was previously called if the handle was connected. ~~~~ Otherwise we get a memory leak. Reviewed-by: Michal Židek <mzidek@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

sss_semanage: Add mlsrange parameter to set_seuser mlsrange parameter will be needed in IPA provider and probably at some point in the tools as well. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

util: Move semanage related functions to src/util These functions will be reused by IPA provider. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>