summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-07-20 11:06:20 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-07-23 16:05:32 +0200
commit83a3317cb6acd44adad338a6fe4987f0ad3b4d64 (patch)
tree234e6251469ddf561af100ca7cbd1ca86d897f8c /src
parent029eb3365d0f1719b8174dd6b76adc5646dd7ade (diff)
downloadsssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.tar.gz
sssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.tar.bz2
sssd-83a3317cb6acd44adad338a6fe4987f0ad3b4d64.zip
Extend category support in SELinux user maps
This patch adds the possibility for user/host category attributes to have more than one value. It also fixes semantically wrong evaluation of SELinux map priority.
Diffstat (limited to 'src')
-rw-r--r--src/util/sss_selinux.c30
1 files changed, 24 insertions, 6 deletions
diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c
index b749b236..b933d9fc 100644
--- a/src/util/sss_selinux.c
+++ b/src/util/sss_selinux.c
@@ -62,6 +62,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
uint32_t priority = 0;
bool matched_name;
bool matched_group;
+ bool matched_category;
errno_t ret;
if (usermap == NULL) {
@@ -100,8 +101,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
* The rule won't match if user category != "all" and user map doesn't
* contain neither user nor any of his groups in memberUser attribute
*/
- if (usercat == NULL || usercat->num_values == 0 ||
- strcasecmp((char *)usercat->values[0].data, "all") != 0) {
+ matched_category = false;
+ if (usercat != NULL) {
+ for (i = 0; i < usercat->num_values; i++) {
+ if (strcasecmp((char *)usercat->values[i].data, "all") == 0) {
+ matched_category = true;
+ break;
+ }
+ }
+ }
+
+ if (!matched_category) {
if (users_el == NULL) {
DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n"));
return false;
@@ -140,8 +150,16 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
* The rule won't match if host category != "all" and user map doesn't
* contain neither host nor any of its groups in memberHost attribute
*/
- if (hostcat == NULL || hostcat->num_values == 0 ||
- strcasecmp((char *)hostcat->values[0].data, "all") != 0) {
+ matched_category = false;
+ if (hostcat != NULL) {
+ for (i = 0; i < hostcat->num_values; i++) {
+ if (strcasecmp((char *)hostcat->values[i].data, "all") == 0) {
+ matched_category = true;
+ break;
+ }
+ }
+ }
+ if (!matched_category) {
if (hosts_el == NULL) {
DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n"));
return false;
@@ -157,9 +175,9 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
return false;
}
}
+ } else {
+ priority |= SELINUX_PRIORITY_HOST_CAT;
}
- } else {
- priority |= SELINUX_PRIORITY_HOST_CAT;
}
if (_priority != NULL) {