From 8858fcd7f3b9a1161783d3d3b60a610ab4394339 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 12 Dec 2024 12:37:00 +0100
Subject: [PATCH 1/2] SELINUX_CHILD: fail immediately if set-id fails

---
 src/providers/ipa/selinux_child.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 0036611e02..41605ebda6 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -377,8 +377,8 @@ int main(int argc, const char *argv[])
         ret = setresuid(0, 0, -1);
         if (ret == -1) {
             ret = errno;
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "setuid() failed: %d, selinux_child might not work!\n", ret);
+            DEBUG(SSSDBG_CRIT_FAILURE, "setresuid() failed: %d\n", ret);
+            goto fail;
         }
     }
     if (getgid() != 0) {
@@ -387,8 +387,8 @@ int main(int argc, const char *argv[])
         ret = setresgid(0, 0, -1);
         if (ret == -1) {
             ret = errno;
-            DEBUG(SSSDBG_CRIT_FAILURE,
-                  "setgid() failed: %d, selinux_child might not work!\n", ret);
+            DEBUG(SSSDBG_CRIT_FAILURE, "setresgid() failed: %d\n", ret);
+            goto fail;
         }
     }
     sss_drop_all_caps();

From 8e6084e0b17011fb481093fd7f0ad9d3be6d4393 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Thu, 12 Dec 2024 12:46:55 +0100
Subject: [PATCH 2/2] SELINUX_CHILD: 'ret' argument of `prepare_response()` is
 always 0

both in current and pre- sssd-2.10.1 code. Let's make it explicit.
---
 src/providers/ipa/selinux_child.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/providers/ipa/selinux_child.c b/src/providers/ipa/selinux_child.c
index 41605ebda6..9fc1ba8190 100644
--- a/src/providers/ipa/selinux_child.c
+++ b/src/providers/ipa/selinux_child.c
@@ -414,7 +414,7 @@ int main(int argc, const char *argv[])
 
     sss_log_process_caps("Sending response");
 
-    ret = prepare_response(main_ctx, ret, &resp);
+    ret = prepare_response(main_ctx, EOK, &resp);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "Failed to prepare response buffer.\n");
         goto fail;