diff options
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/sss_selinux.c | 40 | ||||
| -rw-r--r-- | src/util/sss_selinux.h | 11 |
2 files changed, 45 insertions, 6 deletions
diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c index bdb117951..7b2417bbe 100644 --- a/src/util/sss_selinux.c +++ b/src/util/sss_selinux.c @@ -49,7 +49,8 @@ static bool match_entity(struct ldb_message_element *values, bool sss_selinux_match(struct sysdb_attrs *usermap, struct sysdb_attrs *user, - struct sysdb_attrs *host) + struct sysdb_attrs *host, + uint32_t *_priority) { struct ldb_message_element *users_el = NULL; struct ldb_message_element *usercat = NULL; @@ -58,6 +59,9 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, struct ldb_message_element *dn; struct ldb_message_element *memberof; int i; + uint32_t priority = 0; + bool matched_name; + bool matched_group; errno_t ret; if (usermap == NULL) { @@ -90,10 +94,21 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, */ if (usercat == NULL || usercat->num_values == 0 || strcasecmp((char *)usercat->values[0].data, "all") != 0) { - if (users_el == NULL || (!match_entity(users_el, dn) && - !match_entity(users_el, memberof))) { + if (users_el == NULL) { return false; + } else { + matched_name = match_entity(users_el, dn); + matched_group = match_entity(users_el, memberof); + if (matched_name) { + priority |= SELINUX_PRIORITY_USER_NAME; + } else if (matched_group) { + priority |= SELINUX_PRIORITY_USER_GROUP; + } else { + return false; + } } + } else { + priority |= SELINUX_PRIORITY_USER_CAT; } } @@ -109,11 +124,26 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, */ if (hostcat == NULL || hostcat->num_values == 0 || strcasecmp((char *)hostcat->values[0].data, "all") != 0) { - if (hosts_el == NULL || (!match_entity(hosts_el, dn) && - !match_entity(hosts_el, memberof))) { + if (hosts_el == NULL) { return false; + } else { + matched_name = match_entity(hosts_el, dn); + matched_group = match_entity(hosts_el, memberof); + if (matched_name) { + priority |= SELINUX_PRIORITY_HOST_NAME; + } else if (matched_group) { + priority |= SELINUX_PRIORITY_HOST_GROUP; + } else { + return false; + } } } + } else { + priority |= SELINUX_PRIORITY_HOST_CAT; + } + + if (_priority != NULL) { + *_priority = priority; } return true; diff --git a/src/util/sss_selinux.h b/src/util/sss_selinux.h index 11a5445e6..def389400 100644 --- a/src/util/sss_selinux.h +++ b/src/util/sss_selinux.h @@ -30,6 +30,14 @@ #include <db/sysdb.h> +#define SELINUX_PRIORITY_USER_CAT 1 +#define SELINUX_PRIORITY_USER_GROUP 2 +#define SELINUX_PRIORITY_USER_NAME 4 +/* According to specification, host has higher priority */ +#define SELINUX_PRIORITY_HOST_CAT 8 +#define SELINUX_PRIORITY_HOST_GROUP 16 +#define SELINUX_PRIORITY_HOST_NAME 32 + errno_t sss_selinux_extract_user(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, @@ -38,7 +46,8 @@ sss_selinux_extract_user(TALLOC_CTX *mem_ctx, bool sss_selinux_match(struct sysdb_attrs *usermap, struct sysdb_attrs *user, - struct sysdb_attrs *host); + struct sysdb_attrs *host, + uint32_t *_priority); const char *sss_selinux_map_get_seuser(struct ldb_message *usermap); |