From 83eedf41e97e3fae59d92c0331cb3d1dc62a9010 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 5 Mar 2014 16:35:00 +0100 Subject: [PATCH 110/110] IPA: Use the correct domain when processing SELinux rules MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina (cherry picked from commit 36f606d6743e77721bedeed0907f1be7a19fa4f4) --- src/providers/ipa/ipa_selinux.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 2209ca188654d8c79ee402ba71beeadab2904093..4ec5a64159de139f9ba5b30bf1f1a56baf32a52f 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -57,7 +57,8 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req, static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx); @@ -80,7 +81,8 @@ static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx, struct ipa_selinux_op_ctx { struct be_req *be_req; - struct sss_domain_info *domain; + struct sss_domain_info *user_domain; + struct sss_domain_info *ipa_domain; struct ipa_selinux_ctx *selinux_ctx; struct sysdb_attrs *user; @@ -131,6 +133,7 @@ void ipa_selinux_handler(struct be_req *be_req) } op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + be_ctx->domain, user_domain, be_req, pd->user, hostname, selinux_ctx); @@ -155,7 +158,8 @@ fail: static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx) @@ -175,15 +179,16 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, return NULL; } op_ctx->be_req = be_req; - op_ctx->domain = domain; + op_ctx->ipa_domain = ipa_domain; + op_ctx->user_domain = user_domain; op_ctx->selinux_ctx = selinux_ctx; - ret = sss_selinux_extract_user(op_ctx, sysdb, domain, username, &op_ctx->user); + ret = sss_selinux_extract_user(op_ctx, sysdb, user_domain, username, &op_ctx->user); if (ret != EOK) { goto fail; } - host_dn = sysdb_custom_dn(sysdb, op_ctx, domain, hostname, HBAC_HOSTS_SUBDIR); + host_dn = sysdb_custom_dn(sysdb, op_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR); if (host_dn == NULL) { goto fail; } @@ -229,7 +234,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req) struct ipa_selinux_op_ctx *op_ctx = tevent_req_callback_data(req, struct ipa_selinux_op_ctx); struct be_req *breq = op_ctx->be_req; struct be_ctx *be_ctx = be_req_get_be_ctx(breq); - struct sysdb_ctx *sysdb = op_ctx->domain->sysdb; + struct sysdb_ctx *sysdb = op_ctx->ipa_domain->sysdb; errno_t ret, sret; size_t map_count = 0; struct sysdb_attrs **maps = NULL; @@ -258,21 +263,22 @@ static void ipa_selinux_handler_done(struct tevent_req *req) } in_transaction = true; - ret = sysdb_delete_usermaps(op_ctx->domain->sysdb, op_ctx->domain); + ret = sysdb_delete_usermaps(op_ctx->ipa_domain->sysdb, op_ctx->ipa_domain); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, ("Cannot delete existing maps from sysdb\n")); goto fail; } - ret = sysdb_store_selinux_config(sysdb, op_ctx->domain, + ret = sysdb_store_selinux_config(op_ctx->ipa_domain->sysdb, + op_ctx->ipa_domain, default_user, map_order); if (ret != EOK) { goto fail; } if (map_count > 0 && maps != NULL) { - ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps); + ret = ipa_save_user_maps(sysdb, op_ctx->ipa_domain, map_count, maps); if (ret != EOK) { goto fail; } -- 1.8.5.3