Dne pátek 22 června 2012 09:41:37, Rob Crittenden napsal(a): > Jan Zelený wrote: > > Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a): > >> Jan Zelený wrote: > >>> This patch modifies behavior of SSSD when putting together content of > >>> user config file for pam_selinux. SSSD will now pick only the first user > >>> map in the priority list which matches to the user logging in. Other > >>> maps > >>> are ignored. > >>> > >>> https://fedorahosted.org/sssd/ticket/1360 > >>> > >>> Rob, please confirm that this is the right and expected behavior. > >>> > >>> Thanks > >>> Jan > >> > >> What you have described sounds right. I don't have enough context in > >> sssd to know whether this patch will achieve that. > > > > I realize that. I just wanted to verify that the described behavior is > > correct. The patch itself will be reviewed by someone else from SSSD team. > > > > Thank you for the confirmation > > We had a discussion in IRC and it seems that the using of the usermap > order is incorrect. The list is ordered from least to most permissive > (xguest ... unconfined). > > We want to assign the most permissive context available. So if several > rules evaluate the same except for context we need to refer to the > ordered list and pick the most permissive one.
Following patch selects the right record with respect to ascending order of permission levels. Thanks Jan
>From 6cd141170e1063ae5a60f810b6db74a85330ffc0 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 22 Jun 2012 08:26:46 -0400 Subject: [PATCH] SELinux user maps: pick just one map This patch modifies behavior of SSSD when putting together content of the file for pam_selinux. SSSD will now pick only the first user map in the priority list which matches to the user logging in. Other maps are ignored. https://fedorahosted.org/sssd/ticket/1360 --- src/responder/pam/pamsrv_cmd.c | 23 +++++++++++------------ 1 files changed, 11 insertions(+), 12 deletions(-) diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 2d0324e5bce9881b429ef12567150524b66575c3..20de738fc58e3f3938715e85cf0c02639a0dd902 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -461,12 +461,6 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) goto done; } } else { - file_content = talloc_strdup(tmp_ctx, ""); - if (file_content == NULL) { - ret = ENOMEM; - goto done; - } - /* Iterate through the order array and try to find SELinux users * in fetched maps. The order array contains all SELinux users * allowed in the domain in the same order they should appear @@ -484,8 +478,11 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) tmp_str = sss_selinux_map_get_seuser(usermaps[j]); if (tmp_str && !strcasecmp(tmp_str, order_array[i])) { - file_content = talloc_asprintf_append(file_content, "%s\n", - tmp_str); + /* If file_content contained something, overwrite it. + * This record has higher priority. + */ + talloc_zfree(file_content); + file_content = talloc_strdup(tmp_ctx, tmp_str); if (file_content == NULL) { ret = ENOMEM; goto done; @@ -496,10 +493,12 @@ static errno_t get_selinux_string(struct pam_auth_req *preq) } } - len = strlen(file_content); - if (len > 0) { - ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, - (uint8_t *)file_content); + if (file_content) { + len = strlen(file_content); + if (len > 0) { + ret = pam_add_response(pd, SSS_PAM_SELINUX_MAP, len, + (uint8_t *)file_content); + } } done: -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel