summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/providers/ipa/ipa_session.c18
-rw-r--r--src/util/sss_selinux.c28
2 files changed, 38 insertions, 8 deletions
diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c
index 3a87e957..51c785f5 100644
--- a/src/providers/ipa/ipa_session.c
+++ b/src/providers/ipa/ipa_session.c
@@ -481,21 +481,28 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
ret = ipa_hbac_rule_info_recv(subreq, state, &rule_count,
&rules);
+ DEBUG(SSSDBG_TRACE_INTERNAL,
+ ("Received %d HBAC rules\n", rule_count));
talloc_free(subreq);
if (ret != EOK) {
goto done;
}
for (i = 0; i < rule_count; i++) {
- if (!sss_selinux_match(rules[i], state->user, state->host, &priority)) {
- continue;
- }
-
ret = sysdb_attrs_get_string(rules[i], SYSDB_ORIG_DN, &hbac_dn);
if (ret != EOK) {
goto done;
}
+ DEBUG(SSSDBG_TRACE_ALL,
+ ("Matching HBAC rule %s with SELinux mappings\n", hbac_dn));
+
+ if (!sss_selinux_match(rules[i], state->user, state->host, &priority)) {
+ DEBUG(SSSDBG_TRACE_ALL, ("Rule did not match\n"));
+ continue;
+ }
+
+
/* HBAC rule matched, find if it is in the "possible" list */
for (j = 0; state->possible_match[j]; j++) {
usermap = state->possible_match[j];
@@ -509,6 +516,9 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq)
}
if (strcasecmp(hbac_dn, seealso_dn) == 0) {
+ DEBUG(SSSDBG_TRACE_FUNC, ("HBAC rule [%s] matched, copying its"
+ "attributes to SELinux user map [%s]\n",
+ hbac_dn, seealso_dn));
priority &= ~(SELINUX_PRIORITY_USER_NAME |
SELINUX_PRIORITY_USER_GROUP |
SELINUX_PRIORITY_USER_CAT);
diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c
index 7b2417bb..b749b236 100644
--- a/src/util/sss_selinux.c
+++ b/src/util/sss_selinux.c
@@ -84,9 +84,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
if (user) {
ret = sysdb_attrs_get_el(user, SYSDB_ORIG_DN, &dn);
- if (ret != EOK) return false;
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("User does not have origDN\n"));
+ return false;
+ }
ret = sysdb_attrs_get_el(user, SYSDB_ORIG_MEMBEROF, &memberof);
- if (ret != EOK) return false;
+ if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ ("User does not have orig memberof, "
+ "therefore it can't match to any rule\n"));
+ return false;
+ }
/**
* The rule won't match if user category != "all" and user map doesn't
@@ -95,6 +103,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
if (usercat == NULL || usercat->num_values == 0 ||
strcasecmp((char *)usercat->values[0].data, "all") != 0) {
if (users_el == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n"));
return false;
} else {
matched_name = match_entity(users_el, dn);
@@ -104,6 +113,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
} else if (matched_group) {
priority |= SELINUX_PRIORITY_USER_GROUP;
} else {
+ DEBUG(SSSDBG_TRACE_ALL, ("User did not match\n"));
return false;
}
}
@@ -114,9 +124,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
if (host) {
ret = sysdb_attrs_get_el(host, SYSDB_ORIG_DN, &dn);
- if (ret != EOK) return false;
+ if (ret != EOK) {
+ DEBUG(SSSDBG_MINOR_FAILURE, ("Host does not have origDN\n"));
+ return false;
+ }
ret = sysdb_attrs_get_el(host, SYSDB_ORIG_MEMBEROF, &memberof);
- if (ret != EOK) return false;
+ if (ret != EOK) {
+ DEBUG(SSSDBG_TRACE_ALL,
+ ("Host does not have orig memberof, "
+ "therefore it can't match to any rule\n"));
+ return false;
+ }
/**
* The rule won't match if host category != "all" and user map doesn't
@@ -125,6 +143,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
if (hostcat == NULL || hostcat->num_values == 0 ||
strcasecmp((char *)hostcat->values[0].data, "all") != 0) {
if (hosts_el == NULL) {
+ DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n"));
return false;
} else {
matched_name = match_entity(hosts_el, dn);
@@ -134,6 +153,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap,
} else if (matched_group) {
priority |= SELINUX_PRIORITY_HOST_GROUP;
} else {
+ DEBUG(SSSDBG_TRACE_ALL, ("Host did not match\n"));
return false;
}
}