summaryrefslogtreecommitdiff
path: root/src/providers/ipa/ipa_selinux.c
AgeCommit message (Collapse)AuthorFilesLines
2013-06-07LDAP: sdap_id_ctx might contain several connectionsJakub Hrozek1-1/+2
With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
2013-05-14Fix broken build with selinux.Lukas Slebodnik1-1/+3
Header file selinux/selinux.h was removed in commit 245cc346 from file ipa_selinux.c, because it breaks build without selinux. But new error was introduced. This patch fixes compilation with selinux and include header file selinux/selinux.h only if both macros exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR. Now ipa_selinux.c should be correctly built with and without selinux.
2013-05-13Fixes compilation without selinux.Lukas Slebodnik1-1/+0
Compilation fail if ./configure is called with arguments --with-selinux --with-semanage and selinux header files are not installed. We didn't not catch this in fedora, because krb5-devel depends on libselinux-devel, but other distribution can package it differently. And API from selinux.h is not used in file ipa_selinux.c
2013-04-29selinux: if no domain matches, make the debug message louderJakub Hrozek1-3/+3
2013-04-29Make IPA SELinux provider aware of subdomain usersSumit Bose1-2/+25
Fixes https://fedorahosted.org/sssd/ticket/1892
2013-03-27selinux: Remove unused parameterJakub Hrozek1-1/+0
https://fedorahosted.org/sssd/ticket/1848
2013-03-19Make the SELinux refresh time configurable.Michal Zidek1-2/+3
Option ipa_selinux_refresh is added to basic ipa options.
2013-03-19Reuse cached SELinux mappings.Michal Zidek1-3/+28
Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
2013-03-19Move SELinux processing to provider.Michal Zidek1-31/+381
The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
2013-01-21Add be_req_get_data() helper funciton.Simo Sorce1-2/+3
In preparation for making struct be_req opaque.
2013-01-21Add be_req_get_be_ctx() helper.Simo Sorce1-6/+6
In preparation for making be_req opaque
2013-01-21Introduce be_req_terminate() helperSimo Sorce1-4/+4
Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
2013-01-21Remove domain from be_req structureSimo Sorce1-34/+34
2013-01-21Remove sysdb argument from hbac_get_cached_rules()Simo Sorce1-4/+4
2013-01-21Remove sysdb argument from ipa_host_info_send()Simo Sorce1-1/+1
2013-01-21Remove sysdb as a be request structure memberSimo Sorce1-2/+2
The sysdb context is already available through the 'domain' context.
2013-01-21Remove sysdb as a be context structure memberSimo Sorce1-7/+7
The sysdb context is already available through the 'domain' structure.
2013-01-15Add domain argument to sysdb selinux functionsSimo Sorce1-3/+6
2013-01-15Add domain argument to sysdb_search_custom()Simo Sorce1-1/+2
Also changes sysdb_search_custom_by_name()
2013-01-15Add domain to sysdb_search_user_by_name()Simo Sorce1-1/+1
Also remove unused sysdb_search_domuser_by_name()
2013-01-15Make sysdb_custom_dn() require a domain.Simo Sorce1-3/+5
2013-01-08IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAPJakub Hrozek1-2/+4
It is not a map, but a default context. The name should reflect that.
2013-01-08SELINUX: Process maps even when offlineJakub Hrozek1-226/+429
Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
2012-09-24SYSDB: Remove unnecessary domain parameter from several sysdb callsJakub Hrozek1-4/+1
The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
2012-09-13SELinux: Always use the default if it exists on the serverJakub Hrozek1-9/+9
https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
2012-08-23Unify usage of sysdb transactionsMichal Zidek1-1/+4
Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
2012-07-31Support fetching of host from sysdb in SELinux codeJan Zeleny1-11/+55
The host record will be fetched if HBAC is used as access provider since the record is already downloaded and it can be trusted to be valid.
2012-07-31Support fetching of HBAC rules from sysdb in SELinux codeJan Zeleny1-14/+47
If HBAC is active, SELinux code will reuse them instead of downloading them from the server again.
2012-07-27Renamed session provider to selinux providerJan Zeleny1-0/+625