diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-07-16 13:54:21 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-18 16:32:25 +0200 |
commit | 1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47 (patch) | |
tree | d7588ed8b02fcdaa5d231930b9a165208e078dfc /src/providers/ipa | |
parent | 266fd9834133e31c51b9e967307a793e5a49258e (diff) | |
download | sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.gz sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.tar.bz2 sssd-1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47.zip |
Modify priority evaluation in SELinux user maps
The functionality now is following:
When rule is being matched, its priority is determined as a combination
of user and host specificity (host taking preference).
After the rule is matched in provider, only its host priority is stored
in sysdb for later usage.
When rules are matched in the responder, their user priority is
determined. After that their host priority is retrieved directly from
sysdb and sum of both priorities is user to determine whether to use
that rule or not. If more rules have the same priority, the order given
in IPA config is used.
https://fedorahosted.org/sssd/ticket/1360
https://fedorahosted.org/sssd/ticket/1395
Diffstat (limited to 'src/providers/ipa')
-rw-r--r-- | src/providers/ipa/ipa_session.c | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c index 238acdde..12e80729 100644 --- a/src/providers/ipa/ipa_session.c +++ b/src/providers/ipa/ipa_session.c @@ -326,6 +326,7 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq) const char *tmp_str; size_t conf_cnt = 0; size_t pos_cnt = 0; + uint32_t priority = 0; errno_t ret; int i; @@ -358,7 +359,17 @@ static void ipa_get_selinux_maps_done(struct tevent_req *subreq) } for (i = 0; i < count; i++) { - if (sss_selinux_match(results[i], state->user, state->host)) { + if (sss_selinux_match(results[i], state->user, state->host, &priority)) { + priority &= ~(SELINUX_PRIORITY_USER_NAME | + SELINUX_PRIORITY_USER_GROUP | + SELINUX_PRIORITY_USER_CAT); + ret = sysdb_attrs_add_uint32(results[i], + SYSDB_SELINUX_HOST_PRIORITY, + priority); + if (ret != EOK) { + goto done; + } + state->confirmed_match[conf_cnt] = talloc_steal(state->confirmed_match, results[i]); conf_cnt++; @@ -445,6 +456,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) size_t rule_count; size_t conf_cnt; size_t pos_cnt; + uint32_t priority = 0; errno_t ret; int i, j; @@ -458,7 +470,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) for (pos_cnt = 0 ; state->possible_match[pos_cnt]; pos_cnt++) ; for (i = 0; i < rule_count; i++) { - if (!sss_selinux_match(rules[i], state->user, state->host)) { + if (!sss_selinux_match(rules[i], state->user, state->host, &priority)) { continue; } @@ -480,6 +492,26 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) } if (strcasecmp(hbac_dn, seealso_dn) == 0) { + priority &= ~(SELINUX_PRIORITY_USER_NAME | + SELINUX_PRIORITY_USER_GROUP | + SELINUX_PRIORITY_USER_CAT); + ret = sysdb_attrs_add_uint32(usermap, + SYSDB_SELINUX_HOST_PRIORITY, + priority); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_copy_values(rules[i], usermap, SYSDB_ORIG_MEMBER_USER); + if (ret != EOK) { + goto done; + } + + ret = sysdb_attrs_copy_values(rules[i], usermap, SYSDB_USER_CATEGORY); + if (ret != EOK) { + goto done; + } + state->confirmed_match[conf_cnt++] = talloc_steal( state->confirmed_match, usermap); |