diff options
| author | Michal Zidek <mzidek@redhat.com> | 2013-02-07 19:35:37 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-03-19 17:50:53 +0100 |
| commit | b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858 (patch) | |
| tree | 990fcb7fa6901faf4f2b7befea8912324106dad5 /src/db | |
| parent | 1f469537545a20b62cb35966033be24e1c0cae39 (diff) | |
| download | sssd-b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858.tar.gz sssd-b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858.tar.xz sssd-b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858.zip | |
Move SELinux processing to provider.
The SELinux processing was distributed between provider and
pam responder which resulted in hard to maintain code. This
patch moves the logic to provider.
IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because
the provider also writes the content of selinux login
file to disk (which was done by responder before).
https://fedorahosted.org/sssd/ticket/1743
Diffstat (limited to 'src/db')
| -rw-r--r-- | src/db/sysdb_selinux.c | 107 |
1 files changed, 0 insertions, 107 deletions
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c index b27e0a922..80cfe5390 100644 --- a/src/db/sysdb_selinux.c +++ b/src/db/sysdb_selinux.c @@ -336,113 +336,6 @@ sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx, return EOK; } -errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, - struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, - const char *username, - struct ldb_message ***_usermaps) -{ - TALLOC_CTX *tmp_ctx; - struct ldb_message **msgs = NULL; - const char *attrs[] = { SYSDB_NAME, - SYSDB_USER_CATEGORY, - SYSDB_HOST_CATEGORY, - SYSDB_ORIG_MEMBER_USER, - SYSDB_ORIG_MEMBER_HOST, - SYSDB_SELINUX_HOST_PRIORITY, - SYSDB_SELINUX_USER, - NULL }; - struct sysdb_attrs *user; - struct sysdb_attrs *tmp_attrs; - struct ldb_message **usermaps = NULL; - size_t msgs_count = 0; - size_t usermaps_cnt; - uint32_t priority = 0; - uint32_t host_priority = 0; - uint32_t top_priority = 0; - errno_t ret; - int i; - - tmp_ctx = talloc_new(NULL); - if (!tmp_ctx) { - return ENOMEM; - } - - /* Now extract user attributes */ - ret = sss_selinux_extract_user(tmp_ctx, sysdb, domain, username, &user); - if (ret != EOK) { - goto done; - } - - /* Now extract all SELinux user maps */ - ret = sysdb_get_selinux_usermaps(tmp_ctx, sysdb, domain, - attrs, &msgs_count, &msgs); - if (ret) { - goto done; - } - - /* Now filter those that match */ - tmp_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs); - if (tmp_attrs == NULL) { - ret = ENOMEM; - goto done; - } - - usermaps = talloc_zero_array(tmp_ctx, struct ldb_message *, msgs_count + 1); - if (usermaps == NULL) { - ret = ENOMEM; - goto done; - } - - usermaps_cnt = 0; - for (i = 0; i < msgs_count; i++) { - tmp_attrs->a = msgs[i]->elements; - tmp_attrs->num = msgs[i]->num_elements; - - if (sss_selinux_match(tmp_attrs, user, NULL, &priority)) { - priority &= ~(SELINUX_PRIORITY_HOST_NAME | - SELINUX_PRIORITY_HOST_GROUP | - SELINUX_PRIORITY_HOST_CAT); - - /* Now figure out host priority */ - ret = sysdb_attrs_get_uint32_t(tmp_attrs, - SYSDB_SELINUX_HOST_PRIORITY, - &host_priority); - if (ret != EOK) { - continue; - } - - priority += host_priority; - if (priority < top_priority) { - /* This rule has lower priority than what we already have, - * skip it */ - continue; - } else if (priority > top_priority) { - /* If the rule has higher priority, drop what we already - * have */ - while (usermaps_cnt > 0) { - usermaps_cnt--; - talloc_zfree(usermaps[usermaps_cnt]); - } - top_priority = priority; - } - - - usermaps[usermaps_cnt] = talloc_steal(usermaps, msgs[i]); - usermaps_cnt++; - } else { - talloc_zfree(msgs[i]); - } - } - - *_usermaps = talloc_steal(mem_ctx, usermaps); - - ret = EOK; -done: - talloc_zfree(tmp_ctx); - return ret; -} - errno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, struct sss_domain_info *domain, |