Dne pátek 20 července 2012 17:46:33, Jakub Hrozek napsal(a): > On Fri, Jul 20, 2012 at 05:27:44PM +0200, Jan Zelený wrote: > > > Oh right, it's and HBAC attribute.. > > > > > > Can't you just include ipa_hbac_private.h, then? > > > > I didn't exactly like that solution either so I moved those two constants > > to ipa_hbac.h which is supposed to be a public HBAC interface. The "right > > solution" would be to construct a map for HBAC rules, I know we discussed > > this with Stephen several months back but we never really got to do that. > ipa_hbac.h is a public header of libipa_hbac, included in > libipa_hbac-devel. The attribute names don't have to be in the public > interface, I think that including the ipa_hbac_private.h header is just > fine.
Well, it's probably the best of bad options. Patches attached. Jan
>From bab204e5a9f32b49a3ba83680d658e4178ccaa5c Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 20 Jul 2012 11:10:48 -0400 Subject: [PATCH 4/4] Fix linking of HBAC rules and SELinux user maps Translate manually memberHost and memberUser to originalMemberUser and originalMemberHost. Without this, the HBAC rule won't be matched against current user and/or host, meaning that no SELinux user map connected to it will be matched againts any user on the system. --- src/providers/ipa/ipa_session.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c index 4ddf0529f01bce3a8966b4e825acbcd150b547c5..4be0ec4e37dbd0049e81262ca7dd10a83e402847 100644 --- a/src/providers/ipa/ipa_session.c +++ b/src/providers/ipa/ipa_session.c @@ -32,6 +32,7 @@ #include "providers/ipa/ipa_session.h" #include "providers/ipa/ipa_hosts.h" #include "providers/ipa/ipa_hbac_rules.h" +#include "providers/ipa/ipa_hbac_private.h" #include "providers/ipa/ipa_selinux_common.h" #include "providers/ipa/ipa_selinux_maps.h" @@ -472,6 +473,7 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) struct ipa_get_selinux_state); struct sysdb_attrs **rules; struct sysdb_attrs *usermap; + struct ldb_message_element *el; const char *hbac_dn; const char *seealso_dn; size_t rule_count; @@ -494,6 +496,17 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) goto done; } + /* We need to do this translation for further processing. We have to + * do it manually because no map was used to retrieve HBAC rules. + */ + ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_HOST, &el); + if (ret != EOK) goto done; + el->name = SYSDB_ORIG_MEMBER_HOST; + + ret = sysdb_attrs_get_el(rules[i], IPA_MEMBER_USER, &el); + if (ret != EOK) goto done; + el->name = SYSDB_ORIG_MEMBER_USER; + DEBUG(SSSDBG_TRACE_ALL, ("Matching HBAC rule %s with SELinux mappings\n", hbac_dn)); -- 1.7.7.6
>From 2f96c36d328d8963c4eb1c84a2f8b637383b1e24 Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 20 Jul 2012 11:05:24 -0400 Subject: [PATCH 1/4] Added some DEBUG statements into SELinux related code --- src/providers/ipa/ipa_session.c | 18 ++++++++++++++---- src/util/sss_selinux.c | 28 ++++++++++++++++++++++++---- 2 files changed, 38 insertions(+), 8 deletions(-) diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c index 3a87e957cacae8230f295b60459f865f02df77ff..51c785f5a396055a4c345fd8fe3729c154554cb4 100644 --- a/src/providers/ipa/ipa_session.c +++ b/src/providers/ipa/ipa_session.c @@ -481,21 +481,28 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) ret = ipa_hbac_rule_info_recv(subreq, state, &rule_count, &rules); + DEBUG(SSSDBG_TRACE_INTERNAL, + ("Received %d HBAC rules\n", rule_count)); talloc_free(subreq); if (ret != EOK) { goto done; } for (i = 0; i < rule_count; i++) { - if (!sss_selinux_match(rules[i], state->user, state->host, &priority)) { - continue; - } - ret = sysdb_attrs_get_string(rules[i], SYSDB_ORIG_DN, &hbac_dn); if (ret != EOK) { goto done; } + DEBUG(SSSDBG_TRACE_ALL, + ("Matching HBAC rule %s with SELinux mappings\n", hbac_dn)); + + if (!sss_selinux_match(rules[i], state->user, state->host, &priority)) { + DEBUG(SSSDBG_TRACE_ALL, ("Rule did not match\n")); + continue; + } + + /* HBAC rule matched, find if it is in the "possible" list */ for (j = 0; state->possible_match[j]; j++) { usermap = state->possible_match[j]; @@ -509,6 +516,9 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) } if (strcasecmp(hbac_dn, seealso_dn) == 0) { + DEBUG(SSSDBG_TRACE_FUNC, ("HBAC rule [%s] matched, copying its" + "attributes to SELinux user map [%s]\n", + hbac_dn, seealso_dn)); priority &= ~(SELINUX_PRIORITY_USER_NAME | SELINUX_PRIORITY_USER_GROUP | SELINUX_PRIORITY_USER_CAT); diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c index 7b2417bbead70b110df7ee4a0974d1eaa2525b3f..b749b236da9c8b87c8525ee9e755896740597997 100644 --- a/src/util/sss_selinux.c +++ b/src/util/sss_selinux.c @@ -84,9 +84,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, if (user) { ret = sysdb_attrs_get_el(user, SYSDB_ORIG_DN, &dn); - if (ret != EOK) return false; + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, ("User does not have origDN\n")); + return false; + } ret = sysdb_attrs_get_el(user, SYSDB_ORIG_MEMBEROF, &memberof); - if (ret != EOK) return false; + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_ALL, + ("User does not have orig memberof, " + "therefore it can't match to any rule\n")); + return false; + } /** * The rule won't match if user category != "all" and user map doesn't @@ -95,6 +103,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, if (usercat == NULL || usercat->num_values == 0 || strcasecmp((char *)usercat->values[0].data, "all") != 0) { if (users_el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; } else { matched_name = match_entity(users_el, dn); @@ -104,6 +113,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, } else if (matched_group) { priority |= SELINUX_PRIORITY_USER_GROUP; } else { + DEBUG(SSSDBG_TRACE_ALL, ("User did not match\n")); return false; } } @@ -114,9 +124,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, if (host) { ret = sysdb_attrs_get_el(host, SYSDB_ORIG_DN, &dn); - if (ret != EOK) return false; + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, ("Host does not have origDN\n")); + return false; + } ret = sysdb_attrs_get_el(host, SYSDB_ORIG_MEMBEROF, &memberof); - if (ret != EOK) return false; + if (ret != EOK) { + DEBUG(SSSDBG_TRACE_ALL, + ("Host does not have orig memberof, " + "therefore it can't match to any rule\n")); + return false; + } /** * The rule won't match if host category != "all" and user map doesn't @@ -125,6 +143,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, if (hostcat == NULL || hostcat->num_values == 0 || strcasecmp((char *)hostcat->values[0].data, "all") != 0) { if (hosts_el == NULL) { + DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; } else { matched_name = match_entity(hosts_el, dn); @@ -134,6 +153,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, } else if (matched_group) { priority |= SELINUX_PRIORITY_HOST_GROUP; } else { + DEBUG(SSSDBG_TRACE_ALL, ("Host did not match\n")); return false; } } -- 1.7.7.6
>From a8424ef3eb38b9b3a19434de92123ec35aa2700c Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 20 Jul 2012 11:09:30 -0400 Subject: [PATCH 3/4] Remove ipa_selinux_map_merge() This function is no longer necessary since sysdb interface for copying elements has been implemented. --- src/providers/ipa/ipa_selinux_common.c | 41 -------------------------------- src/providers/ipa/ipa_selinux_common.h | 4 --- src/providers/ipa/ipa_session.c | 10 ------- 3 files changed, 0 insertions(+), 55 deletions(-) diff --git a/src/providers/ipa/ipa_selinux_common.c b/src/providers/ipa/ipa_selinux_common.c index 15f0b4588c1189061252f4db573dc2b87d9556e4..a01e0b6cb3f60348e0b0ad7d7d0a23b0ae0d3c56 100644 --- a/src/providers/ipa/ipa_selinux_common.c +++ b/src/providers/ipa/ipa_selinux_common.c @@ -27,47 +27,6 @@ #include "providers/ipa/ipa_selinux_common.h" -errno_t ipa_selinux_map_merge(struct sysdb_attrs *map, - struct sysdb_attrs *rule, - const char *attr) -{ - struct ldb_message_element *map_el; - struct ldb_message_element *rule_el; - size_t total_cnt; - errno_t ret; - int i = 0; - - ret = sysdb_attrs_get_el(map, attr, &map_el); - if (ret != EOK) { - goto done; - } - - ret = sysdb_attrs_get_el(rule, attr, &rule_el); - if (ret != EOK) { - goto done; - } - - total_cnt = map_el->num_values + rule_el->num_values; - map_el->values = talloc_realloc(map->a, map_el->values, - struct ldb_val, total_cnt); - if (map_el->values == NULL) { - ret = ENOMEM; - goto done; - } - - while (map_el->num_values < total_cnt) - { - map_el->values[map_el->num_values] = ldb_val_dup(map_el->values, - &rule_el->values[i]); - map_el->num_values++; - i++; - } - - ret = EOK; -done: - return ret; -} - errno_t ipa_save_user_maps(struct sysdb_ctx *sysdb, size_t map_count, struct sysdb_attrs **maps) diff --git a/src/providers/ipa/ipa_selinux_common.h b/src/providers/ipa/ipa_selinux_common.h index 17ccb231282763b6cbe479eb31520def6d1a0fc5..d722136e9eb96350644bcaf29e69dbecca155815 100644 --- a/src/providers/ipa/ipa_selinux_common.h +++ b/src/providers/ipa/ipa_selinux_common.h @@ -25,10 +25,6 @@ #ifndef IPA_SELINUX_COMMON_H_ #define IPA_SELINUX_COMMON_H_ -errno_t ipa_selinux_map_merge(struct sysdb_attrs *map, - struct sysdb_attrs *rule, - const char *attr); - errno_t ipa_save_host(struct sysdb_ctx *sysdb, struct sysdb_attrs *host); diff --git a/src/providers/ipa/ipa_session.c b/src/providers/ipa/ipa_session.c index 51c785f5a396055a4c345fd8fe3729c154554cb4..4ddf0529f01bce3a8966b4e825acbcd150b547c5 100644 --- a/src/providers/ipa/ipa_session.c +++ b/src/providers/ipa/ipa_session.c @@ -541,16 +541,6 @@ static void ipa_get_selinux_hbac_done(struct tevent_req *subreq) /* Just to boost the following lookup */ state->possible_match[j] = NULL; - - ret = ipa_selinux_map_merge(usermap, rules[i], SYSDB_ORIG_MEMBER_USER); - if (ret != EOK) { - goto done; - } - - ret = ipa_selinux_map_merge(usermap, rules[i], SYSDB_ORIG_MEMBER_HOST); - if (ret != EOK) { - goto done; - } } } } -- 1.7.7.6
>From 6e510d639bae58765899b88b1eac88ed985a7a0a Mon Sep 17 00:00:00 2001 From: Jan Zeleny <jzel...@redhat.com> Date: Fri, 20 Jul 2012 11:06:20 -0400 Subject: [PATCH 2/4] Extend category support in SELinux user maps This patch adds the possibility for user/host category attributes to have more than one value. It also fixes semantically wrong evaluation of SELinux map priority. --- src/util/sss_selinux.c | 30 ++++++++++++++++++++++++------ 1 files changed, 24 insertions(+), 6 deletions(-) diff --git a/src/util/sss_selinux.c b/src/util/sss_selinux.c index b749b236da9c8b87c8525ee9e755896740597997..2b31c5c1d9410f33181a3388250207cef95276be 100644 --- a/src/util/sss_selinux.c +++ b/src/util/sss_selinux.c @@ -62,6 +62,7 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, uint32_t priority = 0; bool matched_name; bool matched_group; + bool matched_category; errno_t ret; if (usermap == NULL) { @@ -100,8 +101,17 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, * The rule won't match if user category != "all" and user map doesn't * contain neither user nor any of his groups in memberUser attribute */ - if (usercat == NULL || usercat->num_values == 0 || - strcasecmp((char *)usercat->values[0].data, "all") != 0) { + matched_category = false; + if (usercat != NULL) { + for (i = 0; i < usercat->num_values; i++) { + if (strcasecmp((char *)usercat->values[i].data, "all") != 0) { + matched_category = true; + break; + } + } + } + + if (!matched_category) { if (users_el == NULL) { DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; @@ -140,8 +150,16 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, * The rule won't match if host category != "all" and user map doesn't * contain neither host nor any of its groups in memberHost attribute */ - if (hostcat == NULL || hostcat->num_values == 0 || - strcasecmp((char *)hostcat->values[0].data, "all") != 0) { + matched_category = false; + if (hostcat != NULL) { + for (i = 0; i < hostcat->num_values; i++) { + if (strcasecmp((char *)hostcat->values[i].data, "all") != 0) { + matched_category = true; + break; + } + } + } + if (!matched_category) { if (hosts_el == NULL) { DEBUG(SSSDBG_TRACE_ALL, ("No users specified in the rule!\n")); return false; @@ -157,9 +175,9 @@ bool sss_selinux_match(struct sysdb_attrs *usermap, return false; } } + } else { + priority |= SELINUX_PRIORITY_HOST_CAT; } - } else { - priority |= SELINUX_PRIORITY_HOST_CAT; } if (_priority != NULL) { -- 1.7.7.6
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel