summaryrefslogtreecommitdiff
path: root/src/db/sysdb_selinux.c
AgeCommit message (Collapse)AuthorFilesLines
2013-03-19Move SELinux processing to provider.Michal Zidek1-107/+0
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-01-15Add domain argument to sysdb selinux functionsSimo Sorce1-14/+19
2013-01-15Add domain to sysdb_search_user_by_name()Simo Sorce1-1/+3
Also remove unused sysdb_search_domuser_by_name()
2013-01-15Remove the sysdb_ctx_get_domain() function.Simo Sorce1-1/+1
We are deprecating sysdb->domain so kill the function that gives access to this member as we should stop relying on it being available (or correct).
2013-01-08SYSDB: Split a function to read all SELinux mapsJakub Hrozek1-23/+43
2012-09-13SELinux: Always use the default if it exists on the serverJakub Hrozek1-2/+9
https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
2012-09-13DB: Always write the SELinux object to sysdbJakub Hrozek1-70/+8
There's no point in checking if the object already exists because we always wipe the whole sysdb subtree. We were also immediatelly cancelling the transaction because we'd jump to goto, even though it was with EOK.
2012-09-04Unify usage of sysdb transactions (part 2).Michal Zidek1-13/+15
2012-08-16Only create the SELinux login file if there are mappings on the serverJakub Hrozek1-6/+1
https://fedorahosted.org/sssd/ticket/1455 In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers. The IPA default must be only used if there *are* rules on the server, but none matches.
2012-07-20Fix sysdb_search_selinux_usermap_by_username return valueJakub Hrozek1-0/+1
There was a logic bug in sysdb_search_selinux_usermap_by_username that resulted in returning the value the variable "ret" had after the last call to sysdb_attrs_get_uint32_t, which in cases the last rule processed did not have the requested attributes led to using the default user context.
2012-07-18Fix uninitialized valuesNick Guay1-2/+2
https://fedorahosted.org/sssd/ticket/1379
2012-07-18SYSDB: Delete SELinux mappingsJakub Hrozek1-0/+17
2012-07-18Modify priority evaluation in SELinux user mapsJan Zeleny1-1/+33
The functionality now is following: When rule is being matched, its priority is determined as a combination of user and host specificity (host taking preference). After the rule is matched in provider, only its host priority is stored in sysdb for later usage. When rules are matched in the responder, their user priority is determined. After that their host priority is retrieved directly from sysdb and sum of both priorities is user to determine whether to use that rule or not. If more rules have the same priority, the order given in IPA config is used. https://fedorahosted.org/sssd/ticket/1360 https://fedorahosted.org/sssd/ticket/1395
2012-05-02SYSDB: return EOK if empty message is passed into get_rm_msgJakub Hrozek1-0/+1
If the code never entered the loop in get_rm_message, we would return arbitrary return value.
2012-02-06Added some SELinux-related sysdb routinesJan Zeleny1-0/+471