diff options
Diffstat (limited to 'src/db')
-rw-r--r-- | src/db/sysdb.h | 1 | ||||
-rw-r--r-- | src/db/sysdb_selinux.c | 34 |
2 files changed, 34 insertions, 1 deletions
diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 5baac98b3..3c6166cf4 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -120,6 +120,7 @@ #define SYSDB_SELINUX_SEEALSO "seeAlso" #define SYSDB_SELINUX_USER "selinuxUser" #define SYSDB_SELINUX_ENABLED "enabled" +#define SYSDB_SELINUX_HOST_PRIORITY "hostPriority" #define SYSDB_CACHEDPWD "cachedPassword" diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c index e9f2da11b..8e69cd3e2 100644 --- a/src/db/sysdb_selinux.c +++ b/src/db/sysdb_selinux.c @@ -341,6 +341,7 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, SYSDB_HOST_CATEGORY, SYSDB_ORIG_MEMBER_USER, SYSDB_ORIG_MEMBER_HOST, + SYSDB_SELINUX_HOST_PRIORITY, SYSDB_SELINUX_USER, NULL }; struct ldb_message **msgs = NULL; @@ -351,6 +352,9 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, struct ldb_dn *basedn; size_t msgs_count = 0; size_t usermaps_cnt; + uint32_t priority = 0; + uint32_t host_priority = 0; + uint32_t top_priority = 0; char *filter; errno_t ret; int i; @@ -405,7 +409,35 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, tmp_attrs->a = msgs[i]->elements; tmp_attrs->num = msgs[i]->num_elements; - if (sss_selinux_match(tmp_attrs, user, NULL)) { + if (sss_selinux_match(tmp_attrs, user, NULL, &priority)) { + priority &= ~(SELINUX_PRIORITY_HOST_NAME | + SELINUX_PRIORITY_HOST_GROUP | + SELINUX_PRIORITY_HOST_CAT); + + /* Now figure out host priority */ + ret = sysdb_attrs_get_uint32_t(tmp_attrs, + SYSDB_SELINUX_HOST_PRIORITY, + &host_priority); + if (ret != EOK) { + continue; + } + + priority += host_priority; + if (priority < top_priority) { + /* This rule has lower priority than what we already have, + * skip it */ + continue; + } else if (priority > top_priority) { + /* If the rule has higher priority, drop what we already + * have */ + while (usermaps_cnt > 0) { + usermaps_cnt--; + talloc_zfree(usermaps[usermaps_cnt]); + } + top_priority = priority; + } + + usermaps[usermaps_cnt] = talloc_steal(usermaps, msgs[i]); usermaps_cnt++; } else { |