diff options
author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-13 10:07:29 +0200 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-13 18:11:59 +0200 |
commit | ebb1f28998c06984765e3e78d30911c1c3ec84e2 (patch) | |
tree | df4f3009903fd1f312365776d7e1c8d37bee58be | |
parent | 894d18ff4178f40a18bbfece8fae270d8307eac6 (diff) | |
download | sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.gz sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.bz2 sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.zip |
SELinux: Always use the default if it exists on the server
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
-rw-r--r-- | src/db/sysdb_selinux.c | 11 | ||||
-rw-r--r-- | src/providers/ipa/ipa_selinux.c | 18 | ||||
-rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 43 |
3 files changed, 39 insertions, 33 deletions
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c index bc067225..857b17d9 100644 --- a/src/db/sysdb_selinux.c +++ b/src/db/sysdb_selinux.c @@ -191,6 +191,11 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb, return ENOMEM; } + if (!order) { + DEBUG(SSSDBG_CRIT_FAILURE, ("The SELinux order is missing\n")); + return EINVAL; + } + if (default_user) { ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_USER, default_user); @@ -205,7 +210,7 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb, goto done; } - ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG); + ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG); done: talloc_free(attrs); return ret; @@ -344,7 +349,9 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_SUBTREE, filter, attrs, &msgs_count, &msgs); - if (ret) { + if (ret == ENOENT) { + msgs_count = 0; + } else if (ret) { goto done; } diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 36a2bfb4..0adc0fd0 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -136,11 +136,9 @@ static void ipa_selinux_handler_done(struct tevent_req *req) goto fail; } - if (default_user != NULL && map_order != NULL) { - ret = sysdb_store_selinux_config(sysdb, default_user, map_order); - if (ret != EOK) { - goto fail; - } + ret = sysdb_store_selinux_config(sysdb, default_user, map_order); + if (ret != EOK) { + goto fail; } if (map_count > 0 && maps != NULL) { @@ -668,13 +666,15 @@ ipa_get_selinux_recv(struct tevent_req *req, if (state->defaults != NULL) { ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_DEFAULT_MAP, &tmp_str); - if (ret != EOK) { + if (ret != EOK && ret != ENOENT) { return ret; } - *default_user = talloc_strdup(mem_ctx, tmp_str); - if (*default_user == NULL) { - return ENOMEM; + if (ret == EOK) { + *default_user = talloc_strdup(mem_ctx, tmp_str); + if (*default_user == NULL) { + return ENOMEM; + } } ret = sysdb_attrs_get_string(state->defaults, IPA_CONFIG_SELINUX_MAP_ORDER, diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 4c035683..07fa96ab 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -519,30 +519,33 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) goto done; } - /* We need two values from the config object: - * - default SELinux user in case no other is available - * - the order for fetched usermaps - */ - for (i = 0; i < config->num_elements; i++) { - if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_USER) == 0) { - default_user = (const char *)config->elements[i].values[0].data; - } else if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_ORDER) == 0) { - tmp_str = (char *)config->elements[i].values[0].data; - len = config->elements[i].values[0].length; - order = talloc_strdup(tmp_ctx, tmp_str); - if (order == NULL) { - goto done; - } - } + default_user = ldb_msg_find_attr_as_string(config, + SYSDB_SELINUX_DEFAULT_USER, + NULL); + if (!default_user || default_user[0] == '\0') { + /* Skip creating the maps altogether if there is no default + * or empty default + */ + ret = EOK; + goto done; } - if (default_user == NULL || order == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("No default SELinux user " - "or map order given!\n")); + tmp_str = ldb_msg_find_attr_as_string(config, + SYSDB_SELINUX_DEFAULT_ORDER, + NULL); + if (tmp_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("No map order given!\n")); ret = EINVAL; goto done; } + order = talloc_strdup(tmp_ctx, tmp_str); + if (order == NULL) { + ret = ENOMEM; + goto done; + } + len = strlen(order); + /* The "order" string contains one or more SELinux user records * separated by $. Now we need to create an array of string from * this one string. First find out how many elements in the array @@ -577,10 +580,6 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) &usermaps); if (ret != EOK && ret != ENOENT) { goto done; - } else if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_FUNC, ("No maps defined on the server\n")); - ret = EOK; - goto done; } /* If no maps match, we'll use the default SELinux user from the |