>From 8411c3cf7df4f16a11ecc1f13a658cf960b2a15b Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 5 Mar 2014 16:35:00 +0100 Subject: [PATCH] IPA: Use the correct domain when processing SELinux rules We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 --- src/providers/ipa/ipa_selinux.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 6b28d4f97b708e55946fe17cae06060ed99e612b..81e8d59fd58be25253968eee3a498e1a300f3347 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -56,7 +56,8 @@ static errno_t ipa_get_selinux_recv(struct tevent_req *req, static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx); @@ -79,7 +80,8 @@ static errno_t ipa_selinux_process_maps(TALLOC_CTX *mem_ctx, struct ipa_selinux_op_ctx { struct be_req *be_req; - struct sss_domain_info *domain; + struct sss_domain_info *user_domain; + struct sss_domain_info *ipa_domain; struct ipa_selinux_ctx *selinux_ctx; struct sysdb_attrs *user; @@ -130,6 +132,7 @@ void ipa_selinux_handler(struct be_req *be_req) } op_ctx = ipa_selinux_create_op_ctx(be_req, user_domain->sysdb, + be_ctx->domain, user_domain, be_req, pd->user, hostname, selinux_ctx); @@ -200,7 +203,8 @@ done: static struct ipa_selinux_op_ctx * ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, - struct sss_domain_info *domain, + struct sss_domain_info *ipa_domain, + struct sss_domain_info *user_domain, struct be_req *be_req, const char *username, const char *hostname, struct ipa_selinux_ctx *selinux_ctx) @@ -220,15 +224,16 @@ ipa_selinux_create_op_ctx(TALLOC_CTX *mem_ctx, struct sysdb_ctx *sysdb, return NULL; } op_ctx->be_req = be_req; - op_ctx->domain = domain; + op_ctx->ipa_domain = ipa_domain; + op_ctx->user_domain = user_domain; op_ctx->selinux_ctx = selinux_ctx; - ret = sss_selinux_extract_user(op_ctx, domain, username, &op_ctx->user); + ret = sss_selinux_extract_user(op_ctx, user_domain, username, &op_ctx->user); if (ret != EOK) { goto fail; } - host_dn = sysdb_custom_dn(op_ctx, domain, hostname, HBAC_HOSTS_SUBDIR); + host_dn = sysdb_custom_dn(op_ctx, ipa_domain, hostname, HBAC_HOSTS_SUBDIR); if (host_dn == NULL) { goto fail; } @@ -274,7 +279,7 @@ static void ipa_selinux_handler_done(struct tevent_req *req) struct ipa_selinux_op_ctx *op_ctx = tevent_req_callback_data(req, struct ipa_selinux_op_ctx); struct be_req *breq = op_ctx->be_req; struct be_ctx *be_ctx = be_req_get_be_ctx(breq); - struct sysdb_ctx *sysdb = op_ctx->domain->sysdb; + struct sysdb_ctx *sysdb = op_ctx->ipa_domain->sysdb; errno_t ret, sret; size_t map_count = 0; struct sysdb_attrs **maps = NULL; @@ -303,21 +308,21 @@ static void ipa_selinux_handler_done(struct tevent_req *req) } in_transaction = true; - ret = sysdb_delete_usermaps(op_ctx->domain); + ret = sysdb_delete_usermaps(op_ctx->ipa_domain); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Cannot delete existing maps from sysdb\n"); goto fail; } - ret = sysdb_store_selinux_config(op_ctx->domain, + ret = sysdb_store_selinux_config(op_ctx->ipa_domain, default_user, map_order); if (ret != EOK) { goto fail; } if (map_count > 0 && maps != NULL) { - ret = ipa_save_user_maps(sysdb, op_ctx->domain, map_count, maps); + ret = ipa_save_user_maps(sysdb, op_ctx->ipa_domain, map_count, maps); if (ret != EOK) { goto fail; } -- 1.8.5.3