diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-07-20 11:06:20 -0400 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-07-23 16:05:32 +0200 |
commit | 83a3317cb6acd44adad338a6fe4987f0ad3b4d64 (patch) | |
tree | 234e6251469ddf561af100ca7cbd1ca86d897f8c /src | |
parent | 029eb3365d0f1719b8174dd6b76adc5646dd7ade (diff) | |
download | sssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.tar.gz sssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.tar.bz2 sssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.zip |
Extend category support in SELinux user maps
This patch adds the possibility for user/host category attributes to
have more than one value. It also fixes semantically wrong evaluation of
SELinux map priority.
Diffstat (limited to 'src')
-rw-r--r-- | src/util/sss_selinux.c | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c index b749b236..b933d9fc 100644 --- a/src/util/sss_selinux.c +++ b/src/util/sss_selinux.c @@ -62,6 +62,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, uint32_t priority = 0; bool matched_name; bool matched_group; + bool matched_category; errno_t ret; if (usermap == NULL) { @@ -100,8 +101,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, * The rule won't match if user category != "all" and user map doesn't * contain neither user nor any of his groups in memberUser attribute */ - if (usercat == NULL || usercat->num_values == 0 || - strcasecmp((char *)usercat->values[0].data, "all") != 0) { + matched_category = false; + if (usercat != NULL) { + for (i = 0; i < usercat->num_values; i++) { + if (strcasecmp((char *)usercat->values[i].data, "all") == 0) { + matched_category = true; + break; + } + } + } + + if (!matched_category) { if (users_el == NULL) { DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; @@ -140,8 +150,16 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, * The rule won't match if host category != "all" and user map doesn't * contain neither host nor any of its groups in memberHost attribute */ - if (hostcat == NULL || hostcat->num_values == 0 || - strcasecmp((char *)hostcat->values[0].data, "all") != 0) { + matched_category = false; + if (hostcat != NULL) { + for (i = 0; i < hostcat->num_values; i++) { + if (strcasecmp((char *)hostcat->values[i].data, "all") == 0) { + matched_category = true; + break; + } + } + } + if (!matched_category) { if (hosts_el == NULL) { DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; @@ -157,9 +175,9 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, return false; } } + } else { + priority |= SELINUX_PRIORITY_HOST_CAT; } - } else { - priority |= SELINUX_PRIORITY_HOST_CAT; } if (_priority != NULL) { |