|
|
2fc102 |
From 83eedf41e97e3fae59d92c0331cb3d1dc62a9010 Mon Sep 17 00:00:00 2001
|
|
|
2fc102 |
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
2fc102 |
Date: Wed, 5 Mar 2014 16:35:00 +0100
|
|
|
2fc102 |
Subject: [PATCH 110/110] IPA: Use the correct domain when processing SELinux
|
|
|
2fc102 |
rules
|
|
|
2fc102 |
MIME-Version: 1.0
|
|
|
2fc102 |
Content-Type: text/plain; charset=UTF-8
|
|
|
2fc102 |
Content-Transfer-Encoding: 8bit
|
|
|
2fc102 |
|
|
|
2fc102 |
We blindly used the user's domain for everything. That wrong in case the
|
|
|
2fc102 |
user comes from a subdomain. We should use the IPA domain for accessing
|
|
|
2fc102 |
the SELinux rules and host data and the user domain only for the user.
|
|
|
2fc102 |
|
|
|
2fc102 |
https://fedorahosted.org/sssd/ticket/2270
|
|
|
2fc102 |
|
|
|
2fc102 |
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
|
|
|
2fc102 |
(cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4)
|
|
|
2fc102 |
---
|
|
|
2fc102 |
src/providers/ipa/ipa_selinux.c | 26 ++++++++++++++++----------
|
|
|
2fc102 |
1 file changed, 16 insertions(+), 10 deletions(-)
|
|
|
2fc102 |
|
|
|
2fc102 |
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
|
|
|
2fc102 |
index 2209ca188654d8c79ee402ba71beeadab2904093..4ec5a64159de139f9ba5b30bf1f1a56baf32a52f 100644
|
|
|
2fc102 |
--- a/src/providers/ipa/ipa_selinux.c
|
|
|
2fc102 |
+++ b/src/providers/ipa/ipa_selinux.c
|
|
|
2fc102 |
@@ -57,7 +57,8 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req,
|
|
|
2fc102 |
|
|
|
2fc102 |
static struct ipa_selinux_op_ctx *
|
|
|
2fc102 |
ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
|
2fc102 |
- struct sss_domain_info *domain,
|
|
|
2fc102 |
+ struct sss_domain_info *ipa_domain,
|
|
|
2fc102 |
+ struct sss_domain_info *user_domain,
|
|
|
2fc102 |
struct be_req *be_req, const char *username,
|
|
|
2fc102 |
const char *hostname,
|
|
|
2fc102 |
struct ipa_selinux_ctx *selinux_ctx);
|
|
|
2fc102 |
@@ -80,7 +81,8 @@ static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx,
|
|
|
2fc102 |
|
|
|
2fc102 |
struct ipa_selinux_op_ctx {
|
|
|
2fc102 |
struct be_req *be_req;
|
|
|
2fc102 |
- struct sss_domain_info *domain;
|
|
|
2fc102 |
+ struct sss_domain_info *user_domain;
|
|
|
2fc102 |
+ struct sss_domain_info *ipa_domain;
|
|
|
2fc102 |
struct ipa_selinux_ctx *selinux_ctx;
|
|
|
2fc102 |
|
|
|
2fc102 |
struct sysdb_attrs *user;
|
|
|
2fc102 |
@@ -131,6 +133,7 @@ void ipa_selinux_handler(struct be_req *be_req)
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb,
|
|
|
2fc102 |
+ be_ctx->domain,
|
|
|
2fc102 |
user_domain,
|
|
|
2fc102 |
be_req, pd->user, hostname,
|
|
|
2fc102 |
selinux_ctx);
|
|
|
2fc102 |
@@ -155,7 +158,8 @@ fail:
|
|
|
2fc102 |
|
|
|
2fc102 |
static struct ipa_selinux_op_ctx *
|
|
|
2fc102 |
ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
|
2fc102 |
- struct sss_domain_info *domain,
|
|
|
2fc102 |
+ struct sss_domain_info *ipa_domain,
|
|
|
2fc102 |
+ struct sss_domain_info *user_domain,
|
|
|
2fc102 |
struct be_req *be_req, const char *username,
|
|
|
2fc102 |
const char *hostname,
|
|
|
2fc102 |
struct ipa_selinux_ctx *selinux_ctx)
|
|
|
2fc102 |
@@ -175,15 +179,16 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb,
|
|
|
2fc102 |
return NULL;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
op_ctx->be_req = be_req;
|
|
|
2fc102 |
- op_ctx->domain = domain;
|
|
|
2fc102 |
+ op_ctx->ipa_domain = ipa_domain;
|
|
|
2fc102 |
+ op_ctx->user_domain = user_domain;
|
|
|
2fc102 |
op_ctx->selinux_ctx = selinux_ctx;
|
|
|
2fc102 |
|
|
|
2fc102 |
- ret = sss_selinux_extract_user(op_ctx, sysdb, domain, username, &op_ctx->user);
|
|
|
2fc102 |
+ ret = sss_selinux_extract_user(op_ctx, sysdb, user_domain, username, &op_ctx->user);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
goto fail;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
- host_dn = sysdb_custom_dn(sysdb, op_ctx, domain, hostname, HBAC_HOSTS_SUBDIR);
|
|
|
2fc102 |
+ host_dn = sysdb_custom_dn(sysdb, op_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR);
|
|
|
2fc102 |
if (host_dn == NULL) {
|
|
|
2fc102 |
goto fail;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
@@ -229,7 +234,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
|
|
|
2fc102 |
struct ipa_selinux_op_ctx *op_ctx = tevent_req_callback_data(req, struct ipa_selinux_op_ctx);
|
|
|
2fc102 |
struct be_req *breq = op_ctx->be_req;
|
|
|
2fc102 |
struct be_ctx *be_ctx = be_req_get_be_ctx(breq);
|
|
|
2fc102 |
- struct sysdb_ctx *sysdb = op_ctx->domain->sysdb;
|
|
|
2fc102 |
+ struct sysdb_ctx *sysdb = op_ctx->ipa_domain->sysdb;
|
|
|
2fc102 |
errno_t ret, sret;
|
|
|
2fc102 |
size_t map_count = 0;
|
|
|
2fc102 |
struct sysdb_attrs **maps = NULL;
|
|
|
2fc102 |
@@ -258,21 +263,22 @@ static void ipa_selinux_handler_done(struct tevent_req *req)
|
|
|
2fc102 |
}
|
|
|
2fc102 |
in_transaction = true;
|
|
|
2fc102 |
|
|
|
2fc102 |
- ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain);
|
|
|
2fc102 |
+ ret = sysdb_delete_usermaps(op_ctx->ipa_domain->sysdb, op_ctx->ipa_domain);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
2fc102 |
("Cannot delete existing maps from sysdb\n"));
|
|
|
2fc102 |
goto fail;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
- ret = sysdb_store_selinux_config(sysdb, op_ctx->domain,
|
|
|
2fc102 |
+ ret = sysdb_store_selinux_config(op_ctx->ipa_domain->sysdb,
|
|
|
2fc102 |
+ op_ctx->ipa_domain,
|
|
|
2fc102 |
default_user, map_order);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
goto fail;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
|
|
|
2fc102 |
if (map_count > 0 && maps != NULL) {
|
|
|
2fc102 |
- ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps);
|
|
|
2fc102 |
+ ret = ipa_save_user_maps(sysdb, op_ctx->ipa_domain, map_count, maps);
|
|
|
2fc102 |
if (ret != EOK) {
|
|
|
2fc102 |
goto fail;
|
|
|
2fc102 |
}
|
|
|
2fc102 |
--
|
|
|
2fc102 |
1.8.5.3
|
|
|
2fc102 |
|