Modify priority evaluation in SELinux user maps

The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
author: Jan Zeleny <jzeleny@redhat.com> 2012-07-16 13:54:21 -0400
committer: Jakub Hrozek <jhrozek@redhat.com> 2012-07-18 16:32:25 +0200
commit: 1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47 (patch)
tree: d7588ed8b02fcdaa5d231930b9a165208e078dfc /src/util
parent: 266fd9834133e31c51b9e967307a793e5a49258e (diff)
download: sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.gz
sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.xz
sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.zip
2 files changed, 45 insertions, 6 deletions
diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c
index bdb117951..7b2417bbe 100644
--- a/src/util/sss_selinux.c
+++ b/src/util/sss_selinux.c
@@ -49,7 +49,8 @@ static bool match_entity(struct ldb_message_element *values,
 
 bool sss_selinux_match(struct sysdb_attrs *usermap,
                        struct sysdb_attrs *user,
-                       struct sysdb_attrs *host)
+                       struct sysdb_attrs *host,
+                       uint32_t *_priority)
 {
     struct ldb_message_element *users_el = NULL;
     struct ldb_message_element *usercat = NULL;
@@ -58,6 +59,9 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
     struct ldb_message_element *dn;
     struct ldb_message_element *memberof;
     int i;
+    uint32_t priority = 0;
+    bool matched_name;
+    bool matched_group;
     errno_t ret;
 
     if (usermap == NULL) {
@@ -90,10 +94,21 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
          */
         if (usercat == NULL || usercat->num_values == 0 ||
             strcasecmp((char *)usercat->values[0].data, "all") != 0) {
-            if (users_el == NULL || (!match_entity(users_el, dn) &&
-                !match_entity(users_el, memberof))) {
+            if (users_el == NULL) {
                 return false;
+            } else {
+                matched_name = match_entity(users_el, dn);
+                matched_group = match_entity(users_el, memberof);
+                if (matched_name) {
+                    priority |= SELINUX_PRIORITY_USER_NAME;
+                } else if (matched_group) {
+                    priority |= SELINUX_PRIORITY_USER_GROUP;
+                } else {
+                    return false;
+                }
             }
+        } else {
+            priority |= SELINUX_PRIORITY_USER_CAT;
         }
     }
 
@@ -109,11 +124,26 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
          */
         if (hostcat == NULL || hostcat->num_values == 0 ||
             strcasecmp((char *)hostcat->values[0].data, "all") != 0) {
-            if (hosts_el == NULL || (!match_entity(hosts_el, dn) &&
-                !match_entity(hosts_el, memberof))) {
+            if (hosts_el == NULL) {
                 return false;
+            } else {
+                matched_name = match_entity(hosts_el, dn);
+                matched_group = match_entity(hosts_el, memberof);
+                if (matched_name) {
+                    priority |= SELINUX_PRIORITY_HOST_NAME;
+                } else if (matched_group) {
+                    priority |= SELINUX_PRIORITY_HOST_GROUP;
+                } else {
+                    return false;
+                }
             }
         }
+    } else {
+        priority |= SELINUX_PRIORITY_HOST_CAT;
+    }
+
+    if (_priority != NULL) {
+        *_priority = priority;
     }
 
     return true;
diff --git a/src/util/sss_selinux.h b/src/util/sss_selinux.h
index 11a5445e6..def389400 100644
--- a/src/util/sss_selinux.h
+++ b/src/util/sss_selinux.h
@@ -30,6 +30,14 @@
 
 #include <db/sysdb.h>
 
+#define SELINUX_PRIORITY_USER_CAT 1
+#define SELINUX_PRIORITY_USER_GROUP 2
+#define SELINUX_PRIORITY_USER_NAME 4
+/* According to specification, host has higher priority */
+#define SELINUX_PRIORITY_HOST_CAT 8
+#define SELINUX_PRIORITY_HOST_GROUP 16
+#define SELINUX_PRIORITY_HOST_NAME 32
+
 errno_t
 sss_selinux_extract_user(TALLOC_CTX *mem_ctx,
                          struct sysdb_ctx *sysdb,
@@ -38,7 +46,8 @@ sss_selinux_extract_user(TALLOC_CTX *mem_ctx,
 
 bool sss_selinux_match(struct sysdb_attrs *usermap,
                        struct sysdb_attrs *user,
-                       struct sysdb_attrs *host);
+                       struct sysdb_attrs *host,
+                       uint32_t *_priority);
 
 const char *sss_selinux_map_get_seuser(struct ldb_message *usermap);
author	Jan Zeleny <jzeleny@redhat.com>	2012-07-16 13:54:21 -0400
committer	Jakub Hrozek <jhrozek@redhat.com>	2012-07-18 16:32:25 +0200
commit	1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47 (patch)
tree	d7588ed8b02fcdaa5d231930b9a165208e078dfc /src/util
parent	266fd9834133e31c51b9e967307a793e5a49258e (diff)
download	sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.gz sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.xz sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.zip