summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa/ipa_selinux.c
Commit message (Collapse)AuthorAgeFilesLines
* IPA: Remove the ipa_hbac_treat_deny_as optionJakub Hrozek2015-03-241-1/+1
| | | | | | | | | https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* selinux: Handle setup with empty default and no configured rulesJakub Hrozek2015-03-171-2/+2
| | | | | | | | | | SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add missing new lines to debug messagesLukas Slebodnik2015-03-171-3/+3
| | | | Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_selinux: Fix warning may be used uninitializedLukas Slebodnik2015-03-171-1/+1
| | | | | | | | | | | | | src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] state->sci = sci; ^ src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here struct selinux_child_input *sci; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* selinux: Delete existing user mapping on empty defaultJakub Hrozek2015-03-041-6/+8
| | | | | | | | | | | | | | https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: Unify the fd_nonblocking implementationJakub Hrozek2015-01-151-2/+2
| | | | | | | The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* UTIL: Allow dup-ing child pipe to a different FDJakub Hrozek2015-01-131-2/+1
| | | | | | | | | | Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Do not append domain name to fq nameLukas Slebodnik2014-12-081-4/+17
| | | | | | | | | | Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
* Add extra_args to exec_child()Jakub Hrozek2014-12-031-1/+2
| | | | | | | | | | | | Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
* IPA: Store right username to selinux child contextLukas Slebodnik2014-11-061-1/+1
| | | | | | Wrong name would be used with fully qualified names. Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: Move setting the SELinux context to a child processJakub Hrozek2014-11-051-20/+389
| | | | | | | | In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: Use set_seuser instead of writing selinux login fileMichal Zidek2014-10-201-134/+48
| | | | | | | | | Remove the write/remove_selinux login file functions and use set_seuser instead. This patch will require change in selinux policy. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* case_sensitivity = preservingMichal Zidek2014-07-291-1/+1
| | | | | | | | | | | If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>
* UTIL: rename find_subdomain_by_namePavel Reichl2014-07-221-2/+2
| | | | | | | | | The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* ipa_selinux: Put SELinux map order related variables into structureMichal Zidek2014-05-121-31/+37
| | | | | | | | | | | Small change to make the code more readable. The relation between order, order_array and order_count is more obvious when they are grouped in structure. resolves: https://fedorahosted.org/sssd/ticket/2304 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Remove dead code from ipa_get_selinux_recvMichal Zidek2014-04-071-38/+23
| | | | | | | | The 'else' branches in ipa_get_selinux_recv are never executed (and even if they were, the result would be the same as if the true branches were taken). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
* Possible null dereference in SELinux codeMichal Zidek2014-04-041-2/+2
| | | | Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
* IPA: Fix SELinux mapping order memory hierarchyJakub Hrozek2014-04-031-8/+8
| | | | | | | | | | https://fedorahosted.org/sssd/ticket/2300 The list of SELinux mapping orders was allocated on tmp_ctx and parsed into an array. The array itself was correctly allocated on mem_ctx but its contents remained on tmp_ctx, leading to a use-after-free error. This patch fixes the memory hierarchy so that both the array and its contents are allocated on mem_ctx.
* IPA: Write SELinux usernames in the right caseJakub Hrozek2014-03-131-5/+21
| | | | | | https://fedorahosted.org/sssd/ticket/2282 Reviewed-by: Michal Židek <mzidek@redhat.com>
* IPA: Use the correct domain when processing SELinux rulesJakub Hrozek2014-03-111-10/+15
| | | | | | | | | | We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
* IPA: Do not save intermediate data to sysdbJakub Hrozek2014-03-051-28/+28
| | | | | | https://fedorahosted.org/sssd/ticket/2264 Reviewed-by: Sumit Bose <sbose@redhat.com>
* Make DEBUG macro invocations variadicNikolai Kondrashov2014-02-121-55/+55
| | | | | | | | | | | | | | | | | | | | | | | | Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
* Remove unused parameter from sss_selinux_extract_userLukas Slebodnik2013-11-271-1/+1
|
* SYSDB: Drop redundant sysdb_ctx parameter from sysdb.cMichal Zidek2013-11-151-1/+1
|
* SYSDB: Drop the sysdb_ctx parameter from SELinux functionsJakub Hrozek2013-11-151-7/+6
|
* Merge ipa_selinux_common.c and ipa_selinux.cJakub Hrozek2013-11-151-1/+46
| | | | | Moved unused functions and merged ipa_selinux_common.c into ipa_selinux.c
* Fix formating of variables with type: size_tLukas Slebodnik2013-09-111-2/+2
|
* Fix formating of variables with type: ssize_tLukas Slebodnik2013-09-111-2/+2
|
* LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek2013-06-071-1/+2
| | | | | | | | | | | | | | | | | | | With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
* Fix broken build with selinux.Lukas Slebodnik2013-05-141-1/+3
| | | | | | | | | Header file selinux/selinux.h was removed in commit 245cc346 from file ipa_selinux.c, because it breaks build without selinux. But new error was introduced. This patch fixes compilation with selinux and include header file selinux/selinux.h only if both macros exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR. Now ipa_selinux.c should be correctly built with and without selinux.
* Fixes compilation without selinux.Lukas Slebodnik2013-05-131-1/+0
| | | | | | | | Compilation fail if ./configure is called with arguments --with-selinux --with-semanage and selinux header files are not installed. We didn't not catch this in fedora, because krb5-devel depends on libselinux-devel, but other distribution can package it differently. And API from selinux.h is not used in file ipa_selinux.c
* selinux: if no domain matches, make the debug message louderJakub Hrozek2013-04-291-3/+3
|
* Make IPA SELinux provider aware of subdomain usersSumit Bose2013-04-291-2/+25
| | | | Fixes https://fedorahosted.org/sssd/ticket/1892
* selinux: Remove unused parameterJakub Hrozek2013-03-271-1/+0
| | | | https://fedorahosted.org/sssd/ticket/1848
* Make the SELinux refresh time configurable.Michal Zidek2013-03-191-2/+3
| | | | Option ipa_selinux_refresh is added to basic ipa options.
* Reuse cached SELinux mappings.Michal Zidek2013-03-191-3/+28
| | | | | | | | Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
* Move SELinux processing to provider.Michal Zidek2013-03-191-31/+381
| | | | | | | | | | | | The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
* Add be_req_get_data() helper funciton.Simo Sorce2013-01-211-2/+3
| | | | In preparation for making struct be_req opaque.
* Add be_req_get_be_ctx() helper.Simo Sorce2013-01-211-6/+6
| | | | In preparation for making be_req opaque
* Introduce be_req_terminate() helperSimo Sorce2013-01-211-4/+4
| | | | | Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
* Remove domain from be_req structureSimo Sorce2013-01-211-34/+34
|
* Remove sysdb argument from hbac_get_cached_rules()Simo Sorce2013-01-211-4/+4
|
* Remove sysdb argument from ipa_host_info_send()Simo Sorce2013-01-211-1/+1
|
* Remove sysdb as a be request structure memberSimo Sorce2013-01-211-2/+2
| | | | The sysdb context is already available through the 'domain' context.
* Remove sysdb as a be context structure memberSimo Sorce2013-01-211-7/+7
| | | | The sysdb context is already available through the 'domain' structure.
* Add domain argument to sysdb selinux functionsSimo Sorce2013-01-151-3/+6
|
* Add domain argument to sysdb_search_custom()Simo Sorce2013-01-151-1/+2
| | | | Also changes sysdb_search_custom_by_name()
* Add domain to sysdb_search_user_by_name()Simo Sorce2013-01-151-1/+1
| | | | Also remove unused sysdb_search_domuser_by_name()
* Make sysdb_custom_dn() require a domain.Simo Sorce2013-01-151-3/+5
|
* IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek2013-01-081-2/+4
| | | | It is not a map, but a default context. The name should reflect that.