diff options
author | Sumit Bose <sbose@redhat.com> | 2013-04-22 10:43:44 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-04-29 12:15:20 +0200 |
commit | b1829e54acbc8a010aca7f14b9ffa9625f8c102c (patch) | |
tree | 7b32d5eb054c486ac89c86a1ab59fdd1a646b8f6 /src/providers/ipa/ipa_selinux.c | |
parent | c7a4383b3b5549d0627c21bb02bd5f0bd46a3531 (diff) | |
download | sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.gz sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.xz sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.zip |
Make IPA SELinux provider aware of subdomain users
Fixes https://fedorahosted.org/sssd/ticket/1892
Diffstat (limited to 'src/providers/ipa/ipa_selinux.c')
-rw-r--r-- | src/providers/ipa/ipa_selinux.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index ed44fac25..d82485e75 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -36,6 +36,7 @@ #include "providers/ipa/ipa_access.h" #include "providers/ipa/ipa_selinux_common.h" #include "providers/ipa/ipa_selinux_maps.h" +#include "providers/ipa/ipa_subdomains.h" #ifdef HAVE_SELINUX_LOGIN_DIR @@ -94,6 +95,8 @@ void ipa_selinux_handler(struct be_req *be_req) struct tevent_req *req; struct pam_data *pd; const char *hostname; + struct sss_domain_info *user_domain; + struct be_ctx *subdom_be_ctx; pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -107,8 +110,28 @@ void ipa_selinux_handler(struct be_req *be_req) goto fail; } - op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb, - be_ctx->domain, + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx); + if (subdom_be_ctx == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \ + "cannot lookup domain [%s].\n", + pd->domain)); + goto fail; + } else { + user_domain = find_subdomain_by_name(subdom_be_ctx->domain, + pd->domain, true); + if (user_domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("No domain entry found " \ + "for [%s].\n", pd->domain)); + goto fail; + } + } + } else { + user_domain = be_ctx->domain; + } + + op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + user_domain, be_req, pd->user, hostname, selinux_ctx); if (op_ctx == NULL) { |