dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0110-IPA-Use-the-correct-domain-when-processing-SELinux-r.patch

2fc102
From 83eedf41e97e3fae59d92c0331cb3d1dc62a9010 Mon Sep 17 00:00:00 2001
2fc102
From: Jakub Hrozek <jhrozek@redhat.com>
2fc102
Date: Wed, 5 Mar 2014 16:35:00 +0100
2fc102
Subject: [PATCH 110/110] IPA: Use the correct domain when processing SELinux
2fc102
 rules
2fc102
MIME-Version: 1.0
2fc102
Content-Type: text/plain; charset=UTF-8
2fc102
Content-Transfer-Encoding: 8bit
2fc102
2fc102
We blindly used the user's domain for everything. That wrong in case the
2fc102
user comes from a subdomain. We should use the IPA domain for accessing
2fc102
the SELinux rules and host data and the user domain only for the user.
2fc102
2fc102
https://fedorahosted.org/sssd/ticket/2270
2fc102
2fc102
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
2fc102
(cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
2fc102
---
2fc102
 src/providers/ipa/ipa_selinux.c | 26 ++++++++++++++++----------
2fc102
 1 file changed, 16 insertions(+), 10 deletions(-)
2fc102
2fc102
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
2fc102
index 2209ca188654d8c79ee402ba71beeadab2904093..4ec5a64159de139f9ba5b30bf1f1a56baf32a52f 100644
2fc102
--- a/src/providers/ipa/ipa_selinux.c
2fc102
+++ b/src/providers/ipa/ipa_selinux.c
2fc102
@@ -57,7 +57,8 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req,
2fc102
 
2fc102
 static struct ipa_selinux_op_ctx *
2fc102
 ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
2fc102
-                          struct sss_domain_info *domain,
2fc102
+                          struct sss_domain_info *ipa_domain,
2fc102
+                          struct sss_domain_info *user_domain,
2fc102
                           struct be_req *be_req, const char *username,
2fc102
                           const char *hostname,
2fc102
                           struct ipa_selinux_ctx *selinux_ctx);
2fc102
@@ -80,7 +81,8 @@ static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx,
2fc102
 
2fc102
 struct ipa_selinux_op_ctx {
2fc102
     struct be_req *be_req;
2fc102
-    struct sss_domain_info *domain;
2fc102
+    struct sss_domain_info *user_domain;
2fc102
+    struct sss_domain_info *ipa_domain;
2fc102
     struct ipa_selinux_ctx *selinux_ctx;
2fc102
 
2fc102
     struct sysdb_attrs *user;
2fc102
@@ -131,6 +133,7 @@ void ipa_selinux_handler(struct be_req *be_req)
2fc102
     }
2fc102
 
2fc102
     op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb,
2fc102
+                                       be_ctx->domain,
2fc102
                                        user_domain,
2fc102
                                        be_req, pd->user, hostname,
2fc102
                                        selinux_ctx);
2fc102
@@ -155,7 +158,8 @@ fail:
2fc102
 
2fc102
 static struct ipa_selinux_op_ctx *
2fc102
 ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
2fc102
-                          struct sss_domain_info *domain,
2fc102
+                          struct sss_domain_info *ipa_domain,
2fc102
+                          struct sss_domain_info *user_domain,
2fc102
                           struct be_req *be_req, const char *username,
2fc102
                           const char *hostname,
2fc102
                           struct ipa_selinux_ctx *selinux_ctx)
2fc102
@@ -175,15 +179,16 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
2fc102
         return NULL;
2fc102
     }
2fc102
     op_ctx->be_req = be_req;
2fc102
-    op_ctx->domain = domain;
2fc102
+    op_ctx->ipa_domain = ipa_domain;
2fc102
+    op_ctx->user_domain = user_domain;
2fc102
     op_ctx->selinux_ctx = selinux_ctx;
2fc102
 
2fc102
-    ret = sss_selinux_extract_user(op_ctx, sysdb, domain, username, &op_ctx->user);
2fc102
+    ret = sss_selinux_extract_user(op_ctx, sysdb, user_domain, username, &op_ctx->user);
2fc102
     if (ret != EOK) {
2fc102
         goto fail;
2fc102
     }
2fc102
 
2fc102
-    host_dn = sysdb_custom_dn(sysdb, op_ctx, domain, hostname, HBAC_HOSTS_SUBDIR);
2fc102
+    host_dn = sysdb_custom_dn(sysdb, op_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR);
2fc102
     if (host_dn == NULL) {
2fc102
         goto fail;
2fc102
     }
2fc102
@@ -229,7 +234,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
2fc102
     struct ipa_selinux_op_ctx *op_ctx = tevent_req_callback_data(req, struct ipa_selinux_op_ctx);
2fc102
     struct be_req *breq = op_ctx->be_req;
2fc102
     struct be_ctx *be_ctx = be_req_get_be_ctx(breq);
2fc102
-    struct sysdb_ctx *sysdb = op_ctx->domain->sysdb;
2fc102
+    struct sysdb_ctx *sysdb = op_ctx->ipa_domain->sysdb;
2fc102
     errno_t ret, sret;
2fc102
     size_t map_count = 0;
2fc102
     struct sysdb_attrs **maps = NULL;
2fc102
@@ -258,21 +263,22 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
2fc102
     }
2fc102
     in_transaction = true;
2fc102
 
2fc102
-    ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
2fc102
+    ret = sysdb_delete_usermaps(op_ctx->ipa_domain->sysdb, op_ctx->ipa_domain);
2fc102
     if (ret != EOK) {
2fc102
         DEBUG(SSSDBG_CRIT_FAILURE,
2fc102
               ("Cannot delete existing maps from sysdb\n"));
2fc102
         goto fail;
2fc102
     }
2fc102
 
2fc102
-    ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
2fc102
+    ret = sysdb_store_selinux_config(op_ctx->ipa_domain->sysdb,
2fc102
+                                     op_ctx->ipa_domain,
2fc102
                                      default_user, map_order);
2fc102
     if (ret != EOK) {
2fc102
         goto fail;
2fc102
     }
2fc102
 
2fc102
     if (map_count > 0 && maps != NULL) {
2fc102
-        ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
2fc102
+        ret = ipa_save_user_maps(sysdb, op_ctx->ipa_domain, map_count, maps);
2fc102
         if (ret != EOK) {
2fc102
             goto fail;
2fc102
         }
2fc102
-- 
2fc102
1.8.5.3
2fc102