This patch modifies behavior of SSSD when putting together content of user config file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored.
https://fedorahosted.org/sssd/ticket/1360 Rob, please confirm that this is the right and expected behavior. Thanks Jan
>From 450d4e1a2b78a590cfc837111fbe7da23167d95f Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 22 Jun 2012 08:26:46 -0400 Subject: [PATCH] SELinux user maps: pick just one map This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360 --- src/responder/pam/pamsrv_cmd.c | 23 +++++++++++------------ 1 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 2d0324e5bce9881b429ef12567150524b66575c3..21104b5e3b18c8e4dbfb505e7b6fbd7d627fc93b 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -461,12 +461,6 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) goto done; } } else { - file_content = talloc_strdup(tmp_ctx, ""); - if (file_content == NULL) { - ret = ENOMEM; - goto done; - } - /* Iterate through the order array and try to find SELinux users * in fetched maps. The order array contains all SELinux users * allowed in the domain in the same order they should appear @@ -484,8 +478,7 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) tmp_str = sss_selinux_map_get_seuser(usermaps[j]); if (tmp_str && !strcasecmp(tmp_str, order_array[i])) { - file_content = talloc_asprintf_append(file_content, "%s\n", - tmp_str); + file_content = talloc_strdup(tmp_ctx, tmp_str); if (file_content == NULL) { ret = ENOMEM; goto done; @@ -493,13 +486,19 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) break; } } + + if (file_content != NULL) { + break; + } } } - len = strlen(file_content); - if (len > 0) { - ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, - (uint8_t *)file_content); + if (file_content) { + len = strlen(file_content); + if (len > 0) { + ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, + (uint8_t *)file_content); + } } done: -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
