From 95d170adf00b15dd9863a82eb22837409ab69bf0 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 26 Jul 2012 03:38:22 -0400 Subject: Support fetching of HBAC rules from sysdb in SELinux code If HBAC is active, SELinux code will reuse them instead of downloading them from the server again. --- src/providers/ipa/ipa_selinux.c | 61 +++++++++++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 14 deletions(-) (limited to 'src/providers') diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 03b7eb459..0a2dd0830 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -33,6 +33,7 @@ #include "providers/ipa/ipa_hosts.h" #include "providers/ipa/ipa_hbac_rules.h" #include "providers/ipa/ipa_hbac_private.h" +#include "providers/ipa/ipa_access.h" #include "providers/ipa/ipa_selinux_common.h" #include "providers/ipa/ipa_selinux_maps.h" @@ -72,6 +73,10 @@ static void ipa_get_config_step(struct tevent_req *req); static void ipa_get_selinux_config_done(struct tevent_req *subreq); static void ipa_get_selinux_maps_done(struct tevent_req *subreq); static void ipa_get_selinux_hbac_done(struct tevent_req *subreq); +static int +ipa_get_selinux_hbac_process(struct ipa_get_selinux_state *state, + struct sysdb_attrs **rules, + size_t rule_count); void ipa_selinux_handler(struct be_req *be_req) { @@ -379,6 +384,11 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq) struct be_ctx *bctx; struct ipa_id_ctx *id_ctx; + char *selinux_name; + char *access_name; + struct sysdb_attrs **rules; + size_t rule_count; + const char *tmp_str; uint32_t priority = 0; errno_t ret; @@ -437,9 +447,19 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq) } if (state->possible_matches) { - /* FIXME: detect if HBAC is configured - * - if yes, we can skip HBAC retrieval and get it directly from sysdb - */ + access_name = state->be_req->be_ctx->bet_info[BET_ACCESS].mod_name; + selinux_name = state->be_req->be_ctx->bet_info[BET_SELINUX].mod_name; + if (strcasecmp(access_name, selinux_name) == 0) { + ret = hbac_get_cached_rules(state, state->be_req->be_ctx->sysdb, + &rule_count, &rules); + if (ret != EOK) { + goto done; + } + + ret = ipa_get_selinux_hbac_process(state, rules, rule_count); + goto done; + } + DEBUG(SSSDBG_TRACE_FUNC, ("%d SELinux maps referenced an HBAC rule. " "Need to refresh HBAC rules\n", state->possible_matches)); subreq = ipa_hbac_rule_info_send(state, false, bctx->ev, @@ -472,14 +492,8 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) struct ipa_get_selinux_state *state = tevent_req_data(req, struct ipa_get_selinux_state); struct sysdb_attrs **rules; - struct sysdb_attrs *usermap; - struct ldb_message_element *el; - const char *hbac_dn; - const char *seealso_dn; size_t rule_count; - uint32_t priority = 0; errno_t ret; - int i, j; ret = ipa_hbac_rule_info_recv(subreq, state, &rule_count, &rules); @@ -490,6 +504,29 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) goto done; } + ret = ipa_get_selinux_hbac_process(state, rules, rule_count); + +done: + if (ret != EOK) { + tevent_req_error(req, ret); + } else { + tevent_req_done(req); + } +} + +static int +ipa_get_selinux_hbac_process(struct ipa_get_selinux_state *state, + struct sysdb_attrs **rules, + size_t rule_count) +{ + int i, j; + errno_t ret; + uint32_t priority = 0; + const char *hbac_dn; + const char *seealso_dn; + struct sysdb_attrs *usermap; + struct ldb_message_element *el; + for (i = 0; i < rule_count; i++) { ret = sysdb_attrs_get_string(rules[i], SYSDB_ORIG_DN, &hbac_dn); if (ret != EOK) { @@ -563,11 +600,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) ret = EOK; done: - if (ret != EOK) { - tevent_req_error(req, ret); - } else { - tevent_req_done(req); - } + return ret; } static errno_t -- cgit