diff options
| -rw-r--r-- | src/db/sysdb_selinux.c | 33 | ||||
| -rw-r--r-- | src/db/sysdb_selinux.h | 9 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_selinux.c | 9 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_selinux_common.c | 3 | ||||
| -rw-r--r-- | src/providers/ipa/ipa_selinux_common.h | 1 | ||||
| -rw-r--r-- | src/responder/pam/pamsrv_cmd.c | 6 |
6 files changed, 40 insertions, 21 deletions
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c index c1fb07fb..b27e0a92 100644 --- a/src/db/sysdb_selinux.c +++ b/src/db/sysdb_selinux.c @@ -77,6 +77,7 @@ done: } static errno_t sysdb_store_selinux_entity(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, struct sysdb_attrs *attrs, enum selinux_entity_type type) { @@ -109,12 +110,12 @@ static errno_t sysdb_store_selinux_entity(struct sysdb_ctx *sysdb, } dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP, - clean_name, sysdb->domain->name); + clean_name, domain->name); break; case SELINUX_CONFIG: objectclass = SYSDB_SELINUX_CLASS; dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE, - sysdb->domain->name); + domain->name); break; } @@ -174,12 +175,14 @@ done: } errno_t sysdb_store_selinux_usermap(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, struct sysdb_attrs *attrs) { - return sysdb_store_selinux_entity(sysdb, attrs, SELINUX_USER_MAP); + return sysdb_store_selinux_entity(sysdb, domain, attrs, SELINUX_USER_MAP); } errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *default_user, const char *order) { @@ -210,19 +213,20 @@ errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb, goto done; } - ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG); + ret = sysdb_store_selinux_entity(sysdb, domain, attrs, SELINUX_CONFIG); done: talloc_free(attrs); return ret; } -errno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb) +errno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain) { struct ldb_dn *dn = NULL; errno_t ret; dn = ldb_dn_new_fmt(sysdb, sysdb->ldb, - SYSDB_TMPL_SELINUX_BASE, sysdb->domain->name); + SYSDB_TMPL_SELINUX_BASE, domain->name); if (!dn) return ENOMEM; ret = sysdb_delete_recursive(sysdb, dn, true); @@ -238,6 +242,7 @@ errno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb) /* --- SYSDB SELinux search routines --- */ errno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *name, const char **attrs, struct ldb_message **_usermap) @@ -267,7 +272,7 @@ errno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx, } basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP, - clean_name, sysdb->domain->name); + clean_name, domain->name); if (!basedn) { ret = ENOMEM; goto done; @@ -295,6 +300,7 @@ done: errno_t sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char **attrs, size_t *count, struct ldb_message ***messages) @@ -302,9 +308,7 @@ sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx, errno_t ret; char *filter; struct ldb_dn *basedn; - struct sss_domain_info *domain; - domain = sysdb->domain; basedn = ldb_dn_new_fmt(mem_ctx, sysdb_ctx_get_ldb(sysdb), SYSDB_TMPL_SELINUX_BASE, domain->name); if (!basedn) { @@ -334,6 +338,7 @@ sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx, errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *username, struct ldb_message ***_usermaps) { @@ -363,8 +368,6 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, return ENOMEM; } - domain = sysdb->domain; - /* Now extract user attributes */ ret = sss_selinux_extract_user(tmp_ctx, sysdb, domain, username, &user); if (ret != EOK) { @@ -372,7 +375,8 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, } /* Now extract all SELinux user maps */ - ret = sysdb_get_selinux_usermaps(tmp_ctx, sysdb, attrs, &msgs_count, &msgs); + ret = sysdb_get_selinux_usermaps(tmp_ctx, sysdb, domain, + attrs, &msgs_count, &msgs); if (ret) { goto done; } @@ -441,6 +445,7 @@ done: errno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char **attrs, struct ldb_message **_config) { @@ -458,8 +463,8 @@ errno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx, return ENOMEM; } - basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE, - sysdb->domain->name); + basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, + SYSDB_TMPL_SELINUX_BASE, domain->name); if (!basedn) { ret = ENOMEM; goto done; diff --git a/src/db/sysdb_selinux.h b/src/db/sysdb_selinux.h index 5fcbb56e..752f2206 100644 --- a/src/db/sysdb_selinux.h +++ b/src/db/sysdb_selinux.h @@ -42,34 +42,41 @@ enum selinux_entity_type { }; errno_t sysdb_store_selinux_usermap(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, struct sysdb_attrs *attrs); errno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *default_map, const char *order); errno_t sysdb_get_selinux_usermaps(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char **attrs, size_t *count, struct ldb_message ***messages); errno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *name, const char **attrs, struct ldb_message **_usermap); errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char *username, struct ldb_message ***_usermaps); errno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, const char **attrs, struct ldb_message **_config); -errno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb); +errno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain); #endif diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index c8093bad..09dc075f 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -215,20 +215,21 @@ static void ipa_selinux_handler_done(struct tevent_req *req) } in_transaction = true; - ret = sysdb_delete_usermaps(breq->sysdb); + ret = sysdb_delete_usermaps(breq->sysdb, breq->domain); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot delete existing maps from sysdb\n")); goto fail; } - ret = sysdb_store_selinux_config(sysdb, default_user, map_order); + ret = sysdb_store_selinux_config(sysdb, breq->be_ctx->domain, + default_user, map_order); if (ret != EOK) { goto fail; } if (map_count > 0 && maps != NULL) { - ret = ipa_save_user_maps(sysdb, map_count, maps); + ret = ipa_save_user_maps(sysdb, breq->be_ctx->domain, map_count, maps); if (ret != EOK) { goto fail; } @@ -595,6 +596,7 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) /* read the config entry */ ret = sysdb_search_selinux_config(state, state->be_req->be_ctx->sysdb, + state->be_req->be_ctx->domain, NULL, &defaults); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("sysdb_search_selinux_config failed [%d]: %s\n", @@ -628,6 +630,7 @@ ipa_get_selinux_maps_offline(struct tevent_req *req) /* read all the SELinux rules */ ret = sysdb_get_selinux_usermaps(state, state->be_req->be_ctx->sysdb, + state->be_req->be_ctx->domain, attrs, &nmaps, &maps); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("sysdb_get_selinux_usermaps failed [%d]: %s\n", diff --git a/src/providers/ipa/ipa_selinux_common.c b/src/providers/ipa/ipa_selinux_common.c index 45794388..2276d0c9 100644 --- a/src/providers/ipa/ipa_selinux_common.c +++ b/src/providers/ipa/ipa_selinux_common.c @@ -28,6 +28,7 @@ errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, size_t map_count, struct sysdb_attrs **maps) { @@ -44,7 +45,7 @@ errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb, in_transaction = true; for (i = 0; i < map_count; i++) { - ret = sysdb_store_selinux_usermap(sysdb, maps[i]); + ret = sysdb_store_selinux_usermap(sysdb, domain, maps[i]); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, ("Failed to store user map %d. " "Ignoring.\n", i)); diff --git a/src/providers/ipa/ipa_selinux_common.h b/src/providers/ipa/ipa_selinux_common.h index d722136e..8a659556 100644 --- a/src/providers/ipa/ipa_selinux_common.h +++ b/src/providers/ipa/ipa_selinux_common.h @@ -29,6 +29,7 @@ errno_t ipa_save_host(struct sysdb_ctx *sysdb, struct sysdb_attrs *host); errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb, + struct sss_domain_info *domain, size_t map_count, struct sysdb_attrs **maps); diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 62d160c2..dd3637b0 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -526,7 +526,8 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) goto done; } - ret = sysdb_search_selinux_config(tmp_ctx, sysdb, NULL, &config); + ret = sysdb_search_selinux_config(tmp_ctx, sysdb, + preq->domain, NULL, &config); if (ret == ENOENT) { DEBUG(SSSDBG_TRACE_INTERNAL, ("No SELinux support found for the domain\n")); ret = EOK; @@ -592,7 +593,8 @@ static errno_t process_selinux_mappings(struct pam_auth_req *preq) } /* Fetch all maps applicable to the user who is currently logging in */ - ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, sysdb, pd->user, + ret = sysdb_search_selinux_usermap_by_username(tmp_ctx, sysdb, + preq->domain, pd->user, &usermaps); if (ret != EOK && ret != ENOENT) { goto done; |