sssd.git/src/responder/pam, branch refactor sssd with jhrozek's patches Add new option default_domain_suffix 2012-10-01T19:45:21+00:00 Sumit Bose sbose@redhat.com 2012-09-21T16:30:30+00:00 1542b85f13d72329685bdd97aa879c36d11f81be 






SELinux: Always use the default if it exists on the server
2012-09-13T16:11:59+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-09-13T08:07:29+00:00

ebb1f28998c06984765e3e78d30911c1c3ec84e2

https://fedorahosted.org/sssd/ticket/1513

This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045

During an e-mail discussion, it was decided that

    * if the default is set in the IPA config object, the SSSD would use
      that default no matter what
    * if the default is not set (aka empty or missing), the SSSD
      would just use the system default and skip creating the login
      file altogether





https://fedorahosted.org/sssd/ticket/1513

This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045

During an e-mail discussion, it was decided that

    * if the default is set in the IPA config object, the SSSD would use
      that default no matter what
    * if the default is not set (aka empty or missing), the SSSD
      would just use the system default and skip creating the login
      file altogether







Check if the SELinux login directory exists
2012-09-04T08:14:18+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-08-27T06:23:57+00:00

3d038d2e0dc7af04ec2f7c85ae325accb39f6237

https://fedorahosted.org/sssd/ticket/1492





https://fedorahosted.org/sssd/ticket/1492







Only create the SELinux login file if there are mappings on the server
2012-08-16T11:31:03+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-08-05T20:37:09+00:00

f004e23af14fe020d81b8f97f30b448105b79606

https://fedorahosted.org/sssd/ticket/1455

In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.

The IPA default must be only used if there *are* rules on the server,
but none matches.





https://fedorahosted.org/sssd/ticket/1455

In case there are no rules on the IPA server, we must simply avoid generating
the login file. That would make us fall back to the system-wide default
defined in /etc/selinux/targeted/seusers.

The IPA default must be only used if there *are* rules on the server,
but none matches.







Do not try to remove the temp login file if already renamed
2012-08-16T11:30:58+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-08-05T20:03:11+00:00

79402313dc0d7f854b4334dd427e03b7baf0b9db

write_selinux_string() would try to unlink the temporary file even after
it was renamed. Failure to unlink the file would not be fatal, but would
produce a confusing error message.

Also don't use "0" for the default fd number, that's reserved for stdin.
Using -1 is safer.





write_selinux_string() would try to unlink the temporary file even after
it was renamed. Failure to unlink the file would not be fatal, but would
produce a confusing error message.

Also don't use "0" for the default fd number, that's reserved for stdin.
Using -1 is safer.







Build SELinux code in responder conditionally
2012-08-16T09:11:24+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-08-15T13:10:42+00:00

af824bac568ebe8a03273f73246ac78b415ea756

https://fedorahosted.org/sssd/ticket/1480





https://fedorahosted.org/sssd/ticket/1480







Fix bad check
2012-08-01T19:13:07+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-08-01T16:11:22+00:00

39b20025db12d88cd564666b3de0dbe0ce09ff2c












Write SELinux config files in responder instead of PAM module
2012-07-27T12:46:16+00:00

Jan Zeleny
jzeleny@redhat.com

2012-07-27T07:35:38+00:00

300c772767c1b12077cac1d148ac89738b058f97












Move SELinux processing from session to account PAM stack
2012-07-27T08:37:06+00:00

Jan Zeleny
jzeleny@redhat.com

2012-07-24T19:36:10+00:00

7016947229edcaa268a82bf69fde37e521b13233

The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.

Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.





The idea is to rename session provider to selinux provider. Processing
of SELinux rules has to be performed in account stack in order to ensure
that pam_selinux (which is the first module in PAM session stack) will
get the correct input from SSSD.

Processing of account PAM stack is bound to access provider. That means
we need to have two providers executed when SSS_PAM_ACCT_MGMT message
is received from PAM responder. Change in data_provider_be.c ensures
just that - after access provider finishes its actions, the control is
given to selinux provider and only after this provider finishes is the
result returned to PAM responder.







PAM: Fix off-by-one-error in the SELinux session code
2012-07-18T19:10:38+00:00

Jakub Hrozek
jhrozek@redhat.com

2012-07-18T18:35:45+00:00

5266c7472ffb94504b8249310aee5c8a5511a922