summaryrefslogtreecommitdiffstats
path: root/src/providers/ipa/ipa_selinux.c
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2013-04-22 10:43:44 +0200
committerJakub Hrozek <jhrozek@redhat.com>2013-04-29 12:15:20 +0200
commitb1829e54acbc8a010aca7f14b9ffa9625f8c102c (patch)
tree7b32d5eb054c486ac89c86a1ab59fdd1a646b8f6 /src/providers/ipa/ipa_selinux.c
parentc7a4383b3b5549d0627c21bb02bd5f0bd46a3531 (diff)
downloadsssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.gz
sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.tar.xz
sssd-b1829e54acbc8a010aca7f14b9ffa9625f8c102c.zip
Make IPA SELinux provider aware of subdomain users
Fixes https://fedorahosted.org/sssd/ticket/1892
Diffstat (limited to 'src/providers/ipa/ipa_selinux.c')
-rw-r--r--src/providers/ipa/ipa_selinux.c27
1 files changed, 25 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index ed44fac25..d82485e75 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -36,6 +36,7 @@
#include "providers/ipa/ipa_access.h"
#include "providers/ipa/ipa_selinux_common.h"
#include "providers/ipa/ipa_selinux_maps.h"
+#include "providers/ipa/ipa_subdomains.h"
#ifdef HAVE_SELINUX_LOGIN_DIR
@@ -94,6 +95,8 @@ void ipa_selinux_handler(struct be_req *be_req)
struct tevent_req *req;
struct pam_data *pd;
const char *hostname;
+ struct sss_domain_info *user_domain;
+ struct be_ctx *subdom_be_ctx;
pd = talloc_get_type(be_req_get_data(be_req), struct pam_data);
@@ -107,8 +110,28 @@ void ipa_selinux_handler(struct be_req *be_req)
goto fail;
}
- op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb,
- be_ctx->domain,
+ if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) {
+ subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx);
+ if (subdom_be_ctx == NULL) {
+ DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \
+ "cannot lookup domain [%s].\n",
+ pd->domain));
+ goto fail;
+ } else {
+ user_domain = find_subdomain_by_name(subdom_be_ctx->domain,
+ pd->domain, true);
+ if (user_domain == NULL) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("No domain entry found " \
+ "for [%s].\n", pd->domain));
+ goto fail;
+ }
+ }
+ } else {
+ user_domain = be_ctx->domain;
+ }
+
+ op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb,
+ user_domain,
be_req, pd->user, hostname,
selinux_ctx);
if (op_ctx == NULL) {