summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-07-20 11:10:48 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-07-25 22:50:31 +0200
commit33ecf38bc7afcbeed877df2de888115c9232391c (patch)
tree04719dda658519d1ea1345417002b007f9178969
parent28aa01a364218d007161f72d5c0d193e895b2c67 (diff)
downloadsssd-33ecf38bc7afcbeed877df2de888115c9232391c.tar.gz
sssd-33ecf38bc7afcbeed877df2de888115c9232391c.tar.bz2
sssd-33ecf38bc7afcbeed877df2de888115c9232391c.zip
Fix linking of HBAC rules and SELinux user maps
Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system.
Diffstat
-rw-r--r--src/providers/ipa/ipa_session.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 4ddf0529..4be0ec4e 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -32,6 +32,7 @@
#include "providers/ipa/ipa_session.h"
#include "providers/ipa/ipa_hosts.h"
#include "providers/ipa/ipa_hbac_rules.h"
+#include "providers/ipa/ipa_hbac_private.h"
#include "providers/ipa/ipa_selinux_common.h"
#include "providers/ipa/ipa_selinux_maps.h"
@@ -472,6 +473,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
struct ipa_get_selinux_state);
struct sysdb_attrs **rules;
struct sysdb_attrs *usermap;
+ struct ldb_message_element *el;
const char *hbac_dn;
const char *seealso_dn;
size_t rule_count;
@@ -494,6 +496,17 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
goto done;
}
+ /* We need to do this translation for further processing. We have to
+ * do it manually because no map was used to retrieve HBAC rules.
+ */
+ ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_HOST, &el);
+ if (ret != EOK) goto done;
+ el->name = SYSDB_ORIG_MEMBER_HOST;
+
+ ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_USER, &el);
+ if (ret != EOK) goto done;
+ el->name = SYSDB_ORIG_MEMBER_USER;
+
DEBUG(SSSDBG_TRACE_ALL,
("Matching HBAC rule %s with SELinux mappings\n", hbac_dn));
generated by cgit (git 2.34.1) at 2024-11-26 17:46:35 +0000