diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-13 10:07:29 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-13 18:11:59 +0200 |
| commit | ebb1f28998c06984765e3e78d30911c1c3ec84e2 (patch) | |
| tree | df4f3009903fd1f312365776d7e1c8d37bee58be /src/responder/pam | |
| parent | 894d18ff4178f40a18bbfece8fae270d8307eac6 (diff) | |
| download | sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.gz sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.tar.bz2 sssd-ebb1f28998c06984765e3e78d30911c1c3ec84e2.zip | |
SELinux: Always use the default if it exists on the server
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use
that default no matter what
* if the default is not set (aka empty or missing), the SSSD
would just use the system default and skip creating the login
file altogether
Diffstat (limited to 'src/responder/pam')
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 4c035683..07fa96ab 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -519,30 +519,33 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) goto done; } - /* We need two values from the config object: - * - default SELinux user in case no other is available - * - the order for fetched usermaps - */ - for (i = 0; i < config->num_elements; i++) { - if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_USER) == 0) { - default_user = (const char *)config->elements[i].values[0].data; - } else if (strcasecmp(config->elements[i].name, SYSDB_SELINUX_DEFAULT_ORDER) == 0) { - tmp_str = (char *)config->elements[i].values[0].data; - len = config->elements[i].values[0].length; - order = talloc_strdup(tmp_ctx, tmp_str); - if (order == NULL) { - goto done; - } - } + default_user = ldb_msg_find_attr_as_string(config, + SYSDB_SELINUX_DEFAULT_USER, + NULL); + if (!default_user || default_user[0] == '\0') { + /* Skip creating the maps altogether if there is no default + * or empty default + */ + ret = EOK; + goto done; } - if (default_user == NULL || order == NULL) { - DEBUG(SSSDBG_OP_FAILURE, ("No default SELinux user " - "or map order given!\n")); + tmp_str = ldb_msg_find_attr_as_string(config, + SYSDB_SELINUX_DEFAULT_ORDER, + NULL); + if (tmp_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, ("No map order given!\n")); ret = EINVAL; goto done; } + order = talloc_strdup(tmp_ctx, tmp_str); + if (order == NULL) { + ret = ENOMEM; + goto done; + } + len = strlen(order); + /* The "order" string contains one or more SELinux user records * separated by $. Now we need to create an array of string from * this one string. First find out how many elements in the array @@ -577,10 +580,6 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) &usermaps); if (ret != EOK && ret != ENOENT) { goto done; - } else if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_FUNC, ("No maps defined on the server\n")); - ret = EOK; - goto done; } /* If no maps match, we'll use the default SELinux user from the |