SELINUX: Always add SELinux user to the semanage database if it doesn…

…'t exist

Previously, we tried to optimize too much and only set the SELinux user
to Linux user mapping in case the SELinux user was different from the
system default. But this doesn't work for the case where the Linux user
has a non-standard home directory, because then SELinux would not have
any idea that this user's home directory should be labeled as a home
directory.

This patch relaxes the optimization in the sense that on the first
login, the SELinux context is saved regardless of whether it is the same
as the default or different.

Resolves:
https://pagure.io/SSSD/sssd/issue/3819

Reviewed-by: Michal Židek <mzidek@redhat.com>

src/providers/ipa/selinux_child.c

@@ -176,13 +176,16 @@ static bool seuser_needs_update(const char *username,
 
     ret = sss_get_seuser(username, &db_seuser, &db_mls_range);
     DEBUG(SSSDBG_TRACE_INTERNAL,
-          "getseuserbyname: ret: %d seuser: %s mls: %s\n",
+          "sss_get_seuser: ret: %d seuser: %s mls: %s\n",
           ret, db_seuser ? db_seuser : "unknown",
           db_mls_range ? db_mls_range : "unknown");
     if (ret == EOK && db_seuser && db_mls_range &&
             strcmp(db_seuser, seuser) == 0 &&
             strcmp(db_mls_range, mls_range) == 0) {
-        needs_update = false;
+        ret = sss_seuser_exists(username);
+        if (ret == EOK) {
+            needs_update = false;
+        }
     }
     /* OR */
     if (ret == ERR_SELINUX_NOT_MANAGED) {
@@ -191,6 +194,9 @@ static bool seuser_needs_update(const char *username,
 
     free(db_seuser);
     free(db_mls_range);
+    DEBUG(SSSDBG_TRACE_FUNC,
+          "The SELinux user does %sneed an update\n",
+          needs_update ? "" : "not ");
     return needs_update;
 }
 

src/util/sss_semanage.c

@@ -248,6 +248,36 @@ static int sss_semanage_user_mod(semanage_handle_t *handle,
     return ret;
 }
 
+int sss_seuser_exists(const char *linuxuser)
+{
+    int ret;
+    int exists;
+    semanage_seuser_key_t *sm_key = NULL;
+    semanage_handle_t *sm_handle = NULL;
+
+    ret = sss_semanage_init(&sm_handle);
+    if (ret != EOK) {
+        return ret;
+    }
+
+    ret = semanage_seuser_key_create(sm_handle, linuxuser, &sm_key);
+    if (ret < 0) {
+        sss_semanage_close(sm_handle);
+        return EIO;
+    }
+
+    ret = semanage_seuser_exists(sm_handle, sm_key, &exists);
+    semanage_seuser_key_free(sm_key);
+    sss_semanage_close(sm_handle);
+    if (ret < 0) {
+        return EIO;
+    }
+
+    DEBUG(SSSDBG_TRACE_FUNC, "seuser exists: %s\n", exists ? "yes" : "no");
+
+    return exists ? EOK : ERR_SELINUX_USER_NOT_FOUND;
+}
+
 int sss_get_seuser(const char *linuxuser,
                    char **selinuxuser,
                    char **level)

src/util/util.h

@@ -663,6 +663,7 @@ int sss_del_seuser(const char *login_name);
 int sss_get_seuser(const char *linuxuser,
                    char **selinuxuser,
                    char **level);
+int sss_seuser_exists(const char *linuxuser);
 
 /* convert time from generalized form to unix time */
 errno_t sss_utc_to_time_t(const char *str, const char *format, time_t *unix_time);

src/util/util_errors.c

@@ -75,6 +75,7 @@ struct err_string error_to_str[] = {
     { "LDAP search returned a referral" }, /* ERR_REFERRAL */
     { "Error setting SELinux user context" }, /* ERR_SELINUX_CONTEXT */
     { "SELinux is not managed by libsemanage" }, /* ERR_SELINUX_NOT_MANAGED */
+    { "SELinux user does not exist" }, /* ERR_SELINUX_USER_NOT_FOUND */
     { "Username format not allowed by re_expression" }, /* ERR_REGEX_NOMATCH */
     { "Time specification not supported" }, /* ERR_TIMESPEC_NOT_SUPPORTED */
     { "Invalid SSSD configuration detected" }, /* ERR_INVALID_CONFIG */

src/util/util_errors.h

@@ -97,6 +97,7 @@ enum sssd_errors {
     ERR_REFERRAL,
     ERR_SELINUX_CONTEXT,
     ERR_SELINUX_NOT_MANAGED,
+    ERR_SELINUX_USER_NOT_FOUND,
     ERR_REGEX_NOMATCH,
     ERR_TIMESPEC_NOT_SUPPORTED,
     ERR_INVALID_CONFIG,