From b1829e54acbc8a010aca7f14b9ffa9625f8c102c Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 22 Apr 2013 10:43:44 +0200 Subject: Make IPA SELinux provider aware of subdomain users Fixes https://fedorahosted.org/sssd/ticket/1892 --- src/providers/ipa/ipa_selinux.c | 27 +++++++++++++++++++++++++-- src/providers/ipa/ipa_subdomains.c | 14 ++++++++++++++ src/providers/ipa/ipa_subdomains.h | 2 ++ 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index ed44fac2..d82485e7 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -36,6 +36,7 @@ #include "providers/ipa/ipa_access.h" #include "providers/ipa/ipa_selinux_common.h" #include "providers/ipa/ipa_selinux_maps.h" +#include "providers/ipa/ipa_subdomains.h" #ifdef HAVE_SELINUX_LOGIN_DIR @@ -94,6 +95,8 @@ void ipa_selinux_handler(struct be_req *be_req) struct tevent_req *req; struct pam_data *pd; const char *hostname; + struct sss_domain_info *user_domain; + struct be_ctx *subdom_be_ctx; pd = talloc_get_type(be_req_get_data(be_req), struct pam_data); @@ -107,8 +110,28 @@ void ipa_selinux_handler(struct be_req *be_req) goto fail; } - op_ctx = ipa_selinux_create_op_ctx(be_req, be_ctx->domain->sysdb, - be_ctx->domain, + if (strcasecmp(pd->domain, be_ctx->domain->name) != 0) { + subdom_be_ctx = ipa_get_subdomains_be_ctx(be_ctx); + if (subdom_be_ctx == NULL) { + DEBUG(SSSDBG_CONF_SETTINGS, ("Subdomains are not configured, " \ + "cannot lookup domain [%s].\n", + pd->domain)); + goto fail; + } else { + user_domain = find_subdomain_by_name(subdom_be_ctx->domain, + pd->domain, true); + if (user_domain == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, ("No domain entry found " \ + "for [%s].\n", pd->domain)); + goto fail; + } + } + } else { + user_domain = be_ctx->domain; + } + + op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + user_domain, be_req, pd->user, hostname, selinux_ctx); if (op_ctx == NULL) { diff --git a/src/providers/ipa/ipa_subdomains.c b/src/providers/ipa/ipa_subdomains.c index 529618bc..98fc69f1 100644 --- a/src/providers/ipa/ipa_subdomains.c +++ b/src/providers/ipa/ipa_subdomains.c @@ -79,6 +79,20 @@ struct ipa_subdomains_ctx { time_t disabled_until; }; +struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx) +{ + struct ipa_subdomains_ctx *subdom_ctx; + + subdom_ctx = talloc_get_type(be_ctx->bet_info[BET_SUBDOMAINS].pvt_bet_data, + struct ipa_subdomains_ctx); + if (subdom_ctx == NULL) { + DEBUG(SSSDBG_TRACE_ALL, ("Subdomains are not configured.\n")); + return NULL; + } + + return subdom_ctx->be_ctx; +} + const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx, const char *name) { diff --git a/src/providers/ipa/ipa_subdomains.h b/src/providers/ipa/ipa_subdomains.h index 35b42b41..df7f994d 100644 --- a/src/providers/ipa/ipa_subdomains.h +++ b/src/providers/ipa/ipa_subdomains.h @@ -28,6 +28,8 @@ #include "providers/dp_backend.h" #include "providers/ipa/ipa_common.h" +struct be_ctx *ipa_get_subdomains_be_ctx(struct be_ctx *be_ctx); + const char *get_flat_name_from_subdomain_name(struct be_ctx *be_ctx, const char *name); -- cgit