diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-05 16:35:00 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-03-11 18:58:08 +0100 |
commit | 36f606d6743e77721bedeed0907f1be7a19fa4f4 (patch) | |
tree | bf00eea78015e4a3c398895c7c7f2a57583840f7 /src/providers | |
parent | fdaaf2525e333af04ee9b48429b6766b5fd6cab6 (diff) | |
download | sssd-36f606d6743e77721bedeed0907f1be7a19fa4f4.tar.gz sssd-36f606d6743e77721bedeed0907f1be7a19fa4f4.tar.xz sssd-36f606d6743e77721bedeed0907f1be7a19fa4f4.zip |
IPA: Use the correct domain when processing SELinux rules
We blindly used the user's domain for everything. That wrong in case the
user comes from a subdomain. We should use the IPA domain for accessing
the SELinux rules and host data and the user domain only for the user.
https://fedorahosted.org/sssd/ticket/2270
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Diffstat (limited to 'src/providers')
-rw-r--r-- | src/providers/ipa/ipa_selinux.c | 25 |
1 files changed, 15 insertions, 10 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 6b28d4f97..81e8d59fd 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -56,7 +56,8 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req, static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx); @@ -79,7 +80,8 @@ static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx, struct ipa_selinux_op_ctx { struct be_req *be_req; - struct sss_domain_info *domain; + struct sss_domain_info *user_domain; + struct sss_domain_info *ipa_domain; struct ipa_selinux_ctx *selinux_ctx; struct sysdb_attrs *user; @@ -130,6 +132,7 @@ void ipa_selinux_handler(struct be_req *be_req) } op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + be_ctx->domain, user_domain, be_req, pd->user, hostname, selinux_ctx); @@ -200,7 +203,8 @@ done: static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx) @@ -220,15 +224,16 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, return NULL; } op_ctx->be_req = be_req; - op_ctx->domain = domain; + op_ctx->ipa_domain = ipa_domain; + op_ctx->user_domain = user_domain; op_ctx->selinux_ctx = selinux_ctx; - ret = sss_selinux_extract_user(op_ctx, domain, username, &op_ctx->user); + ret = sss_selinux_extract_user(op_ctx, user_domain, username, &op_ctx->user); if (ret != EOK) { goto fail; } - host_dn = sysdb_custom_dn(op_ctx, domain, hostname, HBAC_HOSTS_SUBDIR); + host_dn = sysdb_custom_dn(op_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR); if (host_dn == NULL) { goto fail; } @@ -274,7 +279,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req) struct ipa_selinux_op_ctx *op_ctx = tevent_req_callback_data(req, struct ipa_selinux_op_ctx); struct be_req *breq = op_ctx->be_req; struct be_ctx *be_ctx = be_req_get_be_ctx(breq); - struct sysdb_ctx *sysdb = op_ctx->domain->sysdb; + struct sysdb_ctx *sysdb = op_ctx->ipa_domain->sysdb; errno_t ret, sret; size_t map_count = 0; struct sysdb_attrs **maps = NULL; @@ -303,21 +308,21 @@ static void ipa_selinux_handler_done(struct tevent_req *req) } in_transaction = true; - ret = sysdb_delete_usermaps(op_ctx->domain); + ret = sysdb_delete_usermaps(op_ctx->ipa_domain); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot delete existing maps from sysdb\n"); goto fail; } - ret = sysdb_store_selinux_config(op_ctx->domain, + ret = sysdb_store_selinux_config(op_ctx->ipa_domain, default_user, map_order); if (ret != EOK) { goto fail; } if (map_count > 0 && maps != NULL) { - ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps); + ret = ipa_save_user_maps(sysdb, op_ctx->ipa_domain, map_count, maps); if (ret != EOK) { goto fail; } |