Make IPA SELinux provider aware of subdomain users

Fixes https://fedorahosted.org/sssd/ticket/1892
author: Jakub Hrozek <jhrozek@redhat.com> 2013-08-11 23:39:49 +0200
committer: Jakub Hrozek <jhrozek@redhat.com> 2013-09-03 16:23:33 +0200
commit: 5c0050453d152b49142188c3771f2ca3e4f5c6ab (patch)
tree: 72bbc59cdbd9ff334041c389f63292d171f0c5fb
parent: cc0a816d8a345398d900bc006e73d10049f0c38a (diff)
download: sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.tar.gz
sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.tar.xz
sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.zip
4 files changed, 29 insertions, 12 deletions
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c
index a6b4809f6..f49f58d27 100644
--- a/src/db/sysdb_selinux.c
+++ b/src/db/sysdb_selinux.c
@@ -333,7 +333,7 @@ sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx,
 }
 
 errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
-                                                 struct sysdb_ctx *sysdb,
+                                                 struct sss_domain_info *dom,
                                                  const char *username,
                                                  struct ldb_message ***_usermaps)
 {
@@ -357,20 +357,23 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
     uint32_t top_priority = 0;
     errno_t ret;
     int i;
+    struct sss_domain_info *parent_dom;
 
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) {
         return ENOMEM;
     }
 
+    parent_dom = dom->parent ? dom->parent : dom;
+
     /* Now extract user attributes */
-    ret = sss_selinux_extract_user(tmp_ctx, sysdb, username, &user);
+    ret = sss_selinux_extract_user(tmp_ctx, dom->sysdb, username, &user);
     if (ret != EOK) {
         goto done;
     }
 
     /* Now extract all SELinux user maps */
-    ret = sysdb_get_selinux_usermaps(tmp_ctx, sysdb, attrs, &msgs_count, &msgs);
+    ret = sysdb_get_selinux_usermaps(tmp_ctx, parent_dom->sysdb, attrs, &msgs_count, &msgs);
     if (ret) {
         goto done;
     }
diff --git a/src/db/sysdb_selinux.h b/src/db/sysdb_selinux.h
index 5fcbb56ef..598936dbd 100644
--- a/src/db/sysdb_selinux.h
+++ b/src/db/sysdb_selinux.h
@@ -61,7 +61,7 @@ errno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx,
                                                 struct ldb_message **_usermap);
 
 errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
-                                                 struct sysdb_ctx *sysdb,
+                                                 struct sss_domain_info *dom,
                                                  const char *username,
                                                  struct ldb_message ***_usermaps);
 
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index d1dbe5765..21e518fd1 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -36,6 +36,7 @@
 #include "providers/ipa/ipa_access.h"
 #include "providers/ipa/ipa_selinux_common.h"
 #include "providers/ipa/ipa_selinux_maps.h"
+#include "providers/krb5/krb5_utils.h"
 
 static struct tevent_req *
 ipa_get_selinux_send(struct be_req *breq,
@@ -52,7 +53,7 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req,
                                     char **map_order);
 
 static struct ipa_selinux_op_ctx *
-ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
+ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
                           struct be_req *be_req, const char *username,
                           const char *hostname);
 static void ipa_selinux_handler_done(struct tevent_req *subreq);
@@ -84,6 +85,8 @@ void ipa_selinux_handler(struct be_req *be_req)
     struct tevent_req *req;
     struct pam_data *pd;
     const char *hostname;
+    int ret;
+    struct sss_domain_info *dom;
 
     pd = talloc_get_type(be_req->req_data, struct pam_data);
 
@@ -98,7 +101,13 @@ void ipa_selinux_handler(struct be_req *be_req)
         goto fail;
     }
 
-    op_ctx = ipa_selinux_create_op_ctx(be_req, be_req->sysdb, be_req,
+    ret = get_domain_or_subdomain(be_req, be_req->be_ctx, pd->domain, &dom);
+    if (ret != EOK) {
+        DEBUG(SSSDBG_OP_FAILURE, ("get_domain_or_subdomain failed.\n"));
+        goto fail;
+    }
+
+    op_ctx = ipa_selinux_create_op_ctx(be_req, dom, be_req,
                                        pd->user, hostname);
     if (op_ctx == NULL) {
         DEBUG(SSSDBG_OP_FAILURE, ("Cannot create op context\n"));
@@ -119,7 +128,7 @@ fail:
 }
 
 static struct ipa_selinux_op_ctx *
-ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
+ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom,
                           struct be_req *be_req, const char *username,
                           const char *hostname)
 {
@@ -132,6 +141,7 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
     struct ldb_message **msgs;
     struct sysdb_attrs **hosts;
     errno_t ret;
+    struct sss_domain_info *parent_dom;
 
     op_ctx = talloc_zero(mem_ctx, struct ipa_selinux_op_ctx);
     if (op_ctx == NULL) {
@@ -139,18 +149,20 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
     }
     op_ctx->be_req = be_req;
 
-    ret = sss_selinux_extract_user(op_ctx, sysdb, username, &op_ctx->user);
+    parent_dom = dom->parent ? dom->parent : dom;
+
+    ret = sss_selinux_extract_user(op_ctx, dom->sysdb, username, &op_ctx->user);
     if (ret != EOK) {
         goto fail;
     }
 
-    host_dn = sysdb_custom_dn(sysdb, op_ctx, hostname, HBAC_HOSTS_SUBDIR);
+    host_dn = sysdb_custom_dn(parent_dom->sysdb, op_ctx, hostname, HBAC_HOSTS_SUBDIR);
     if (host_dn == NULL) {
         goto fail;
     }
 
     /* Look up the host to get its originalMemberOf entries */
-    ret = sysdb_search_entry(op_ctx, sysdb, host_dn,
+    ret = sysdb_search_entry(op_ctx, parent_dom->sysdb, host_dn,
                              LDB_SCOPE_BASE, NULL,
                              attrs, &count, &msgs);
     if (ret == ENOENT || count == 0) {
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 94de4df5f..c1ff5dacd 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -521,7 +521,9 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
         goto done;
     }
 
-    sysdb = preq->domain->sysdb;
+    /* Sysdb rules are always stored in the parent domain */
+    sysdb = preq->domain->parent ? preq->domain->parent->sysdb :
+                                   preq->domain->sysdb;
     if (sysdb == NULL) {
         DEBUG(SSSDBG_FATAL_FAILURE, ("Fatal: Sysdb CTX not found for "
                                      "domain [%s]!\n", preq->domain->name));
@@ -595,7 +597,7 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
     }
 
     /* Fetch all maps applicable to the user who is currently logging in */
-    ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, sysdb, pd->user,
+    ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, preq->domain, pd->user,
                                                    &usermaps);
     if (ret != EOK && ret != ENOENT) {
         goto done;
author	Jakub Hrozek <jhrozek@redhat.com>	2013-08-11 23:39:49 +0200
committer	Jakub Hrozek <jhrozek@redhat.com>	2013-09-03 16:23:33 +0200
commit	5c0050453d152b49142188c3771f2ca3e4f5c6ab (patch)
tree	72bbc59cdbd9ff334041c389f63292d171f0c5fb
parent	cc0a816d8a345398d900bc006e73d10049f0c38a (diff)
download	sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.tar.gz sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.tar.xz sssd-5c0050453d152b49142188c3771f2ca3e4f5c6ab.zip