summaryrefslogtreecommitdiffstats
path: root/src/db
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-07-16 13:54:21 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-07-18 16:32:25 +0200
commit1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47 (patch)
treed7588ed8b02fcdaa5d231930b9a165208e078dfc /src/db
parent266fd9834133e31c51b9e967307a793e5a49258e (diff)
downloadsssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.gz
sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.xz
sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.zip
Modify priority evaluation in SELinux user maps
The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
Diffstat (limited to 'src/db')
-rw-r--r--src/db/sysdb.h1
-rw-r--r--src/db/sysdb_selinux.c34
2 files changed, 34 insertions, 1 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h
index 5baac98b3..3c6166cf4 100644
--- a/src/db/sysdb.h
+++ b/src/db/sysdb.h
@@ -120,6 +120,7 @@
#define SYSDB_SELINUX_SEEALSO "seeAlso"
#define SYSDB_SELINUX_USER "selinuxUser"
#define SYSDB_SELINUX_ENABLED "enabled"
+#define SYSDB_SELINUX_HOST_PRIORITY "hostPriority"
#define SYSDB_CACHEDPWD "cachedPassword"
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c
index e9f2da11b..8e69cd3e2 100644
--- a/src/db/sysdb_selinux.c
+++ b/src/db/sysdb_selinux.c
@@ -341,6 +341,7 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
SYSDB_HOST_CATEGORY,
SYSDB_ORIG_MEMBER_USER,
SYSDB_ORIG_MEMBER_HOST,
+ SYSDB_SELINUX_HOST_PRIORITY,
SYSDB_SELINUX_USER,
NULL };
struct ldb_message **msgs = NULL;
@@ -351,6 +352,9 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
struct ldb_dn *basedn;
size_t msgs_count = 0;
size_t usermaps_cnt;
+ uint32_t priority = 0;
+ uint32_t host_priority = 0;
+ uint32_t top_priority = 0;
char *filter;
errno_t ret;
int i;
@@ -405,7 +409,35 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
tmp_attrs->a = msgs[i]->elements;
tmp_attrs->num = msgs[i]->num_elements;
- if (sss_selinux_match(tmp_attrs, user, NULL)) {
+ if (sss_selinux_match(tmp_attrs, user, NULL, &priority)) {
+ priority &= ~(SELINUX_PRIORITY_HOST_NAME |
+ SELINUX_PRIORITY_HOST_GROUP |
+ SELINUX_PRIORITY_HOST_CAT);
+
+ /* Now figure out host priority */
+ ret = sysdb_attrs_get_uint32_t(tmp_attrs,
+ SYSDB_SELINUX_HOST_PRIORITY,
+ &host_priority);
+ if (ret != EOK) {
+ continue;
+ }
+
+ priority += host_priority;
+ if (priority < top_priority) {
+ /* This rule has lower priority than what we already have,
+ * skip it */
+ continue;
+ } else if (priority > top_priority) {
+ /* If the rule has higher priority, drop what we already
+ * have */
+ while (usermaps_cnt > 0) {
+ usermaps_cnt--;
+ talloc_zfree(usermaps[usermaps_cnt]);
+ }
+ top_priority = priority;
+ }
+
+
usermaps[usermaps_cnt] = talloc_steal(usermaps, msgs[i]);
usermaps_cnt++;
} else {