From 33ecf38bc7afcbeed877df2de888115c9232391c Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Fri, 20 Jul 2012 11:10:48 -0400
Subject: Fix linking of HBAC rules and SELinux user maps

Translate manually memberHost and memberUser to originalMemberUser and
originalMemberHost. Without this, the HBAC rule won't be matched against
current user and/or host, meaning that no SELinux user map connected to
it will be matched againts any user on the system.
---
 src/providers/ipa/ipa_session.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 4ddf0529f..4be0ec4e3 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -32,6 +32,7 @@
 #include "providers/ipa/ipa_session.h"
 #include "providers/ipa/ipa_hosts.h"
 #include "providers/ipa/ipa_hbac_rules.h"
+#include "providers/ipa/ipa_hbac_private.h"
 #include "providers/ipa/ipa_selinux_common.h"
 #include "providers/ipa/ipa_selinux_maps.h"
 
@@ -472,6 +473,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
                                                   struct ipa_get_selinux_state);
     struct sysdb_attrs **rules;
     struct sysdb_attrs *usermap;
+    struct ldb_message_element *el;
     const char *hbac_dn;
     const char *seealso_dn;
     size_t rule_count;
@@ -494,6 +496,17 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
             goto done;
         }
 
+        /* We need to do this translation for further processing. We have to
+         * do it manually because no map was used to retrieve HBAC rules.
+         */
+        ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_HOST, &el);
+        if (ret != EOK) goto done;
+        el->name = SYSDB_ORIG_MEMBER_HOST;
+
+        ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_USER, &el);
+        if (ret != EOK) goto done;
+        el->name = SYSDB_ORIG_MEMBER_USER;
+
         DEBUG(SSSDBG_TRACE_ALL,
               ("Matching HBAC rule %s with SELinux mappings\n", hbac_dn));
 
-- 
cgit