This patchset fixes the SELinux processing so that it works also offline
for cases described in #1626 for example.
The code was architected in an extremely strange way where every request
would store a per-request/per-user score attribute in the selinux mapping
objects themselves and the responder would just pick the highest score.
At the same time, the scores were only calculated when the mappings were
downloaded and only for rules that matched, which pretty much broke offline
support. I intend to fix the architecture by only making the provider only
download and store the rules and let the responder pick the context. But I'm
not sure if I can do that right during the current time constraints. I filed
#1743 to track that effort and I'll be sending some patches for master so
far, but I'd like to include this patchset to fix the functionality at last.
I also noticed that the rules are downloaded on *every login*, without
any timeout in between, so I filed #1744 to either reuse
IPA_HBAC_REFRESH or introduce a similar timeout for performance reasons.
[PATCH 1/4] SYSDB: Remove duplicate selinux defines
Some constants were defined in both sysdb.h and sysdb_selinux.h. This
patch removes the duplicates.
[PATCH 2/4] SYSDB: Split a function to read all SELinux maps
This function will be reused in the DP to read maps from cache when
offline.
[PATCH 3/4] SELINUX: Process maps even when offline
The patch is quite big, but I couldn't split it in a meaningful way,
sorry. The patch changes the ipa_get_selinux{send,recv} to only provide
data independently on the offline stat and moves all the processing to
the ipa_selinux_handler. The scores are calculated
[PATCH 4/4] IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP
The option IPA_CONFIG_SELINUX_DEFAULT_MAP was misnamed. It doesn't
describe any map, but the default context the user should obtain when
nothing else matches.