From 563cb29dbe477176f427466cdc1876437c77738b Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Sun, 11 Aug 2013 23:39:49 +0200
Subject: Make IPA SELinux provider aware of subdomain users

Fixes https://fedorahosted.org/sssd/ticket/1892
---
 src/responder/pam/pamsrv_cmd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'src/responder')

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index a180a8f1d..db1f90bc2 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -522,7 +522,9 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
         goto done;
     }
 
-    sysdb = preq->domain->sysdb;
+    /* Sysdb rules are always stored in the parent domain */
+    sysdb = preq->domain->parent ? preq->domain->parent->sysdb :
+                                   preq->domain->sysdb;
     if (sysdb == NULL) {
         DEBUG(SSSDBG_FATAL_FAILURE, ("Fatal: Sysdb CTX not found for "
                                      "domain [%s]!\n", preq->domain->name));
@@ -598,7 +600,7 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
     }
 
     /* Fetch all maps applicable to the user who is currently logging in */
-    ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, sysdb, pd->user,
+    ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, preq->domain, pd->user,
                                                    &usermaps);
     if (ret != EOK && ret != ENOENT) {
         goto done;
-- 
cgit