summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-09-13 10:07:29 +0200
committerJakub Hrozek <jhrozek@redhat.com>2012-09-13 18:11:59 +0200
commitebb1f28998c06984765e3e78d30911c1c3ec84e2 (patch)
treedf4f3009903fd1f312365776d7e1c8d37bee58be
parent894d18ff4178f40a18bbfece8fae270d8307eac6 (diff)
downloadsssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.gz
sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.bz2
sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.zip
SELinux: Always use the default if it exists on the server
https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
-rw-r--r--src/db/sysdb_selinux.c11
-rw-r--r--src/providers/ipa/ipa_selinux.c18
-rw-r--r--src/responder/pam/pamsrv_cmd.c43
3 files changed, 39 insertions, 33 deletions
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c
index bc067225..857b17d9 100644
--- a/src/db/sysdb_selinux.c
+++ b/src/db/sysdb_selinux.c
@@ -191,6 +191,11 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
return ENOMEM;
}
+ if (!order) {
+ DEBUG(SSSDBG_CRIT_FAILURE, ("The SELinux order is missing\n"));
+ return EINVAL;
+ }
+
if (default_user) {
ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_USER,
default_user);
@@ -205,7 +210,7 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
goto done;
}
- ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
+ ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
done:
talloc_free(attrs);
return ret;
@@ -344,7 +349,9 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_SUBTREE, filter,
attrs, &msgs_count, &msgs);
- if (ret) {
+ if (ret == ENOENT) {
+ msgs_count = 0;
+ } else if (ret) {
goto done;
}
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 36a2bfb4..0adc0fd0 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -136,11 +136,9 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
goto fail;
}
- if (default_user != NULL && map_order != NULL) {
- ret = sysdb_store_selinux_config(sysdb, default_user, map_order);
- if (ret != EOK) {
- goto fail;
- }
+ ret = sysdb_store_selinux_config(sysdb, default_user, map_order);
+ if (ret != EOK) {
+ goto fail;
}
if (map_count > 0 && maps != NULL) {
@@ -668,13 +666,15 @@ ipa_get_selinux_recv(struct tevent_req *req,
if (state->defaults != NULL) {
ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_DEFAULT_MAP,
&tmp_str);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
return ret;
}
- *default_user = talloc_strdup(mem_ctx, tmp_str);
- if (*default_user == NULL) {
- return ENOMEM;
+ if (ret == EOK) {
+ *default_user = talloc_strdup(mem_ctx, tmp_str);
+ if (*default_user == NULL) {
+ return ENOMEM;
+ }
}
ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_MAP_ORDER,
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 4c035683..07fa96ab 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -519,30 +519,33 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
goto done;
}
- /* We need two values from the config object:
- * - default SELinux user in case no other is available
- * - the order for fetched usermaps
- */
- for (i = 0; i < config->num_elements; i++) {
- if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_USER) == 0) {
- default_user = (const char *)config->elements[i].values[0].data;
- } else if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_ORDER) == 0) {
- tmp_str = (char *)config->elements[i].values[0].data;
- len = config->elements[i].values[0].length;
- order = talloc_strdup(tmp_ctx, tmp_str);
- if (order == NULL) {
- goto done;
- }
- }
+ default_user = ldb_msg_find_attr_as_string(config,
+ SYSDB_SELINUX_DEFAULT_USER,
+ NULL);
+ if (!default_user || default_user[0] == '\0') {
+ /* Skip creating the maps altogether if there is no default
+ * or empty default
+ */
+ ret = EOK;
+ goto done;
}
- if (default_user == NULL || order == NULL) {
- DEBUG(SSSDBG_OP_FAILURE, ("No default SELinux user "
- "or map order given!\n"));
+ tmp_str = ldb_msg_find_attr_as_string(config,
+ SYSDB_SELINUX_DEFAULT_ORDER,
+ NULL);
+ if (tmp_str == NULL) {
+ DEBUG(SSSDBG_OP_FAILURE, ("No map order given!\n"));
ret = EINVAL;
goto done;
}
+ order = talloc_strdup(tmp_ctx, tmp_str);
+ if (order == NULL) {
+ ret = ENOMEM;
+ goto done;
+ }
+ len = strlen(order);
+
/* The "order" string contains one or more SELinux user records
* separated by $. Now we need to create an array of string from
* this one string. First find out how many elements in the array
@@ -577,10 +580,6 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq)
&usermaps);
if (ret != EOK && ret != ENOENT) {
goto done;
- } else if (ret == ENOENT) {
- DEBUG(SSSDBG_TRACE_FUNC, ("No maps defined on the server\n"));
- ret = EOK;
- goto done;
}
/* If no maps match, we'll use the default SELinux user from the