#161 - Rename session provider to selinux provider
#162 - Move SELinux provider processing right after PAM_ACCT_MGMT
These patches are a proof of concept solving following ticket:
I realize that there might be some rough edges to sand off but right now the
important thing for me is to know whether the approach implemented in patch
#162 and described in the comment #1 in the ticket is valid.
Added some debug messages
The original priority patch had this condition in the wrong place, resulting
in hostCategory == all not being taken into account
The function ipa_selinux_map_merge() is no longer necessary since more generic
function has been implemented and it is even used in the code
This patch provides the fix for HBAC - SELinux linking itself. I'm not sure
about defining those two constants on top. If anyone has better idea where to
put them in order to consolidate them with the same constants private for HBAC
code, I'm open to suggestions.
Finally removes EOK constant from sudo api header. It is not used in
the SUDO code so it does not require their changes.
This does what is requested in the ticket. It seems to be very huge but
in fact it is mainly changing the variable. Basically I tried to get
rid of domain ctx where possible, leave it only in initgroups part and
use command ctx elsewhere.
The in-memory cache is not yet implemented, I want to discuss the
possible ways of doing it.
The basic problem is that we need to get the domain during the request
for default options. How will we do it? I think there are two options:
1. always try to perform the initgroups - find the domain and the check
the in-memory cache (which may be slow if the user is in the last
domain, but that will be probably handled as part of
2. store uid:username = domain in the in-memory cache (same cache as
results or a new one?)
This patch contains a modified version of sysdb_get_sudo_user_info()
where the uid is not mandatory. I want to replace this function with
sysdb_sudo_get_user_groups() (or make it generic and place it in
sysdb_ops?) because the groupnames are the only thing we don't know.
However this requires a modification of the data provider protocol as
well so I'm keeping it for later.