History log of /sssd-io/src/providers/ipa/ipa_selinux.c
Revision Date Author Comments Expand
60a715a0dd79873d2d2607eab8fdfaf0ffd2e7d3 09-Feb-2018 Hristo Venev <hristo@venev.name>

providers: Move hostid from ipa to sdap, v2 In the ldap provider, all option names are renamed to ldap_host_*. In the ipa provider the names haven't been changed. Host lookups for both ipa and ldap are handled in the ldap provider. sss_ssh_knownhostsproxy works but hostgroups are still only available in the ipa provider. I've also added some documentation for the ldap provider. Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
e17e37cd0e2109e7f1bd4ae48edfc8cca85b3f93 28-Aug-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA_ACCESS: Make hbac_get_cache_rules() more generic This method can also be reused in the future for new backend modules. In order to make it more generic, let's just move it to ipa_rules_common.[ch], rename it to ipa_common_get_cached_rules() and make the rule, subtree name and the attributes to be searched new parameters of this method. In order to not be declaring the enourmous list of attributes HBAC uses when calling this method, a new hbac_get_attrs_to_get_cached_rules() method has been introduced. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
21909d3b620d97e81dd946b959a47efe88d2b7d8 28-Aug-2017 Fabiano Fidêncio <fidencio@redhat.com>

IPA: Leave only HBAC specific defines in ipa_hbac_private.h The defines that were moved can and will be used by another backend module that will be introduced in the near future. Related: https://pagure.io/SSSD/sssd/issue/2995 Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Pavel Březina <pbrezina@redhat.com>
273c6ed07ce59248192f7af324e2d9cc6a763031 07-Jul-2016 Jakub Hrozek <jhrozek@redhat.com>

SELINUX: Parse the internal fqname before using it libselinux uses getpwnam() to retrieve the user data, therefore we qualify the data with sss_output_name() before calling libselinux. Reviewed-by: Sumit Bose <sbose@redhat.com>
dea636af4d1902a081ee891f1b19ee2f8729d759 20-Jun-2016 Pavel Březina <pbrezina@redhat.com>

DP: Switch to new interface Reviewed-by: Sumit Bose <sbose@redhat.com> Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>

/sssd-io/Makefile.am /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_access.h /sssd-io/src/providers/ad/ad_autofs.c /sssd-io/src/providers/ad/ad_common.h /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_id.h /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/ad/ad_subdomains.h /sssd-io/src/providers/ad/ad_sudo.c /sssd-io/src/providers/backend.h /sssd-io/src/providers/data_provider/dp_custom_data.h /sssd-io/src/providers/data_provider/dp_iface.c /sssd-io/src/providers/data_provider/dp_iface.h /sssd-io/src/providers/data_provider/dp_target_auth.c /sssd-io/src/providers/data_provider/dp_target_autofs.c /sssd-io/src/providers/data_provider/dp_target_hostid.c /sssd-io/src/providers/data_provider/dp_target_id.c /sssd-io/src/providers/data_provider/dp_target_subdomains.c /sssd-io/src/providers/data_provider/dp_target_sudo.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_req.c /sssd-io/src/providers/data_provider_req.h ipa_access.c ipa_access.h ipa_auth.c ipa_auth.h ipa_autofs.c ipa_common.h ipa_hbac_common.c ipa_hostid.c ipa_hostid.h ipa_id.c ipa_id.h ipa_init.c ipa_selinux.c ipa_selinux.h ipa_subdomains.c ipa_subdomains.h ipa_subdomains_ext_groups.c ipa_subdomains_id.c ipa_subdomains_server.c ipa_sudo.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_auth.h /sssd-io/src/providers/krb5/krb5_common.h /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_common.h /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap_access.h /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_autofs.h /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_online_check.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo.h /sssd-io/src/providers/proxy/proxy.h /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_client.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/tests/cmocka/test_nested_groups.c /sssd-io/src/tests/simple_access-tests.c
45e11be651dbd3855a35de4abd2922e5b9d4b963 31-May-2016 Jakub Hrozek <jhrozek@redhat.com>

Do not leak fds in case of failures setting up a child process Resolves: https://fedorahosted.org/sssd/ticket/3006 The handling of open pipes in failure cases was suboptimal. Moreover, the faulty logic was copied all over the place. This patch introduces helper macros to: - initialize the pipe endpoints to -1 - close an open pipe fd and set it to -1 afterwards - close both ends unless already closed These macros are used in the child handling code. The patch also uses child_io_destructor in the p11_child code for safer fd handling. Reviewed-by: Petr Cech <pcech@redhat.com>
de8815aba87d08b6b7ac5d502dcb1755787e0857 19-May-2016 Jakub Hrozek <jhrozek@redhat.com>

UTIL: exit() the forked process if exec()-ing a child process fails When exec() fails, we should not attempt to continue, but just kill the forked process. The patch adds this logic to the exec_child() and exec_child_ex() functions to avoid code duplication Resolves: https://fedorahosted.org/sssd/ticket/3016 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
6dff95bdfe437afc0b62b5270d0d84140981c786 24-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

IPA: Remove the ipa_hbac_treat_deny_as option https://fedorahosted.org/sssd/ticket/2603 Since deny rules are no longer supported on the server, the client should no longer support them either. Remove the option. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
3e6dac8e14f8a3da6d359ee013453dbd8a38dd99 17-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

selinux: Handle setup with empty default and no configured rules SSSD also needs to handle the setup where no rules match the machine and the default has no MLS component. Related to: https://fedorahosted.org/sssd/ticket/2587 Reviewed-by: Michal Židek <mzidek@redhat.com>
87f8bee53ee1b4ca87b602ff8536bc5fd5b5b595 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

Add missing new lines to debug messages Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

/sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_views.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_ptask.c ipa_access.c ipa_hbac_rules.c ipa_hostid.c ipa_selinux.c ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_utils.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tools/files.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/server.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_semanage.c /sssd-io/src/util/usertools.c
0df2970fe147fb7b130d825c16097c2322f21905 17-Mar-2015 Lukas Slebodnik <lslebodn@redhat.com>

ipa_selinux: Fix warning may be used uninitialized src/providers/ipa/ipa_selinux.c: In function 'ipa_selinux_handler_done': src/providers/ipa/ipa_selinux.c:927:16: error: 'sci' may be used uninitialized in this function [-Werror=maybe-uninitialized] state->sci = sci; ^ src/providers/ipa/ipa_selinux.c:333:33: note: 'sci' was declared here struct selinux_child_input *sci; ^ cc1: all warnings being treated as errors Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
01f78f755fde63997ccfded71fb8395569b11430 04-Mar-2015 Jakub Hrozek <jhrozek@redhat.com>

selinux: Delete existing user mapping on empty default https://fedorahosted.org/sssd/ticket/2587 The case of SELinux default user mapping being an empty string is valid, it should translate into "pick the default context on the target machine". In case the context is empty, we need to delete the per-user mapping from the SELinux database to make sure the default is used. Reviewed-by: Michal Židek <mzidek@redhat.com> Reviewed-by: Pavel Reichl <preichl@redhat.com>
f3d91181d4ee9da3f8bbf4ddf8782951c0ae46c1 15-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Unify the fd_nonblocking implementation The responder and child_common modules each had their own implementation. Unify it instead and add a unit test. Reviewed-by: Pavel Březina <pbrezina@redhat.com>
16cb0969f0a9ea71524d852077d6a480740d4f12 13-Jan-2015 Jakub Hrozek <jhrozek@redhat.com>

UTIL: Allow dup-ing child pipe to a different FD Related to: https://fedorahosted.org/sssd/ticket/2544 Adds a new function exec_child_ex and moves setting the extra_argv[] to exec_child_ex() along with specifying the input and output fds. Reviewed-by: Sumit Bose <sbose@redhat.com>
b02eda90e9c6d6666af55041b1b12f5ac2f47b73 08-Dec-2014 Lukas Slebodnik <lslebodn@redhat.com>

IPA: Do not append domain name to fq name Usernames from AD subdomains are already in fqdn we should not append domain name in this case. Resolves: https://fedorahosted.org/sssd/ticket/2512 Reviewed-by: Michal Židek <mzidek@redhat.com>
b4f87b42b18888c396e44e7359f7aafb092221bf 03-Dec-2014 Jakub Hrozek <jhrozek@redhat.com>

Add extra_args to exec_child() Related: https://fedorahosted.org/sssd/ticket/2503 Currently all child processes use the same arguments, the construction of argv[] is even hardcoded in exec_child(). Add an extra_args[] array that extends the common set of argvs so that we can have child-specific arguments. Also adds a unit test. Reviewed-by: Sumit Bose <sbose@redhat.com>
4612fa4160ea14189accbe58de5cee9149187c21 06-Nov-2014 Lukas Slebodnik <lslebodn@redhat.com>

IPA: Store right username to selinux child context Wrong name would be used with fully qualified names. Reviewed-by: Michal Židek <mzidek@redhat.com>
f3a25949de81f80c136bb073e4a8f504b080c20c 05-Nov-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Move setting the SELinux context to a child process In order for the sssd_be process to run as unprivileged user, we need to move the semanage processing to a process that runs as the root user using setuid privileges. Reviewed-by: Michal Židek <mzidek@redhat.com>
9c47c8c59b5c9078f342f82367cd0ad7857acef8 20-Oct-2014 Michal Zidek <mzidek@redhat.com>

IPA: Use set_seuser instead of writing selinux login file Remove the write/remove_selinux login file functions and use set_seuser instead. This patch will require change in selinux policy. Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ff22e829fd73fc53027d1e6ca005a9ac334086dd 29-Jul-2014 Michal Zidek <mzidek@redhat.com>

case_sensitivity = preserving If case_sensitivity is set to 'preserving', getXXnam returns name attribute in the same format as stored in LDAP. Fixes: https://fedorahosted.org/sssd/ticket/2367 Reviewed-by: Pavel Reichl <preichl@redhat.com>
db18dda869bc6c52a41797b2066cf121cf10f49c 22-Jul-2014 Pavel Reichl <preichl@redhat.com>

UTIL: rename find_subdomain_by_name The function was named "find_subdomain" yet it could find both main domain and subdomain. sed 's/find_subdomain_by_name/find_domain_by_name/' -i `find . -name "*.[ch]"` Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
785cfb3dfdd8f38426e71e6161581e85f4f8f941 12-May-2014 Michal Zidek <mzidek@redhat.com>

ipa_selinux: Put SELinux map order related variables into structure Small change to make the code more readable. The relation between order, order_array and order_count is more obvious when they are grouped in structure. resolves: https://fedorahosted.org/sssd/ticket/2304 Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
5a4f23a51406af7dcd08e2fb50538292f622e26b 07-Apr-2014 Michal Zidek <mzidek@redhat.com>

Remove dead code from ipa_get_selinux_recv The 'else' branches in ipa_get_selinux_recv are never executed (and even if they were, the result would be the same as if the true branches were taken). Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
7ac7dec08ec2c82a86fd6a90388993cfcee26da1 04-Apr-2014 Michal Zidek <mzidek@redhat.com>

Possible null dereference in SELinux code Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
355b8a655cfcc4e783077d12f76b55da1d23fb87 03-Apr-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Fix SELinux mapping order memory hierarchy https://fedorahosted.org/sssd/ticket/2300 The list of SELinux mapping orders was allocated on tmp_ctx and parsed into an array. The array itself was correctly allocated on mem_ctx but its contents remained on tmp_ctx, leading to a use-after-free error. This patch fixes the memory hierarchy so that both the array and its contents are allocated on mem_ctx.
a059f853074260f4b6a6ead1dca9f18280cb9cdb 13-Mar-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Write SELinux usernames in the right case https://fedorahosted.org/sssd/ticket/2282 Reviewed-by: Michal Židek <mzidek@redhat.com>
36f606d6743e77721bedeed0907f1be7a19fa4f4 11-Mar-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Use the correct domain when processing SELinux rules We blindly used the user's domain for everything. That wrong in case the user comes from a subdomain. We should use the IPA domain for accessing the SELinux rules and host data and the user domain only for the user. https://fedorahosted.org/sssd/ticket/2270 Reviewed-by: Pavel Březina <pbrezina@redhat.com>
0c1a13e435ceab2038233bec3a7468c726b903b9 05-Mar-2014 Jakub Hrozek <jhrozek@redhat.com>

IPA: Do not save intermediate data to sysdb https://fedorahosted.org/sssd/ticket/2264 Reviewed-by: Sumit Bose <sbose@redhat.com>
a3c8390d19593b1e5277d95bfb4ab206d4785150 12-Feb-2014 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>

Make DEBUG macro invocations variadic Use a script to update DEBUG macro invocations to use it as a variadic macro, supplying format string and its arguments directly, instead of wrapping them in parens. This script was used to update the code: grep -rwl --include '*.[hc]' DEBUG . | while read f; do mv "$f"{,.orig} perl -e \ 'use strict; use File::Slurp; my $text=read_file(\*STDIN); $text=~s#(\bDEBUG\s*\([^(]+)\((.*?)\)\s*\)\s*;#$1$2);#gs; print $text;' < "$f.orig" > "$f" rm "$f.orig" done Reviewed-by: Jakub Hrozek <jhrozek@redhat.com> Reviewed-by: Stephen Gallagher <sgallagh@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>

/sssd-io/src/confdb/confdb.c /sssd-io/src/confdb/confdb_setup.c /sssd-io/src/db/sysdb.c /sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_idmap.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_ranges.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/db/sysdb_selinux.c /sssd-io/src/db/sysdb_services.c /sssd-io/src/db/sysdb_ssh.c /sssd-io/src/db/sysdb_subdomains.c /sssd-io/src/db/sysdb_sudo.c /sssd-io/src/db/sysdb_upgrade.c /sssd-io/src/monitor/monitor.c /sssd-io/src/monitor/monitor_netlink.c /sssd-io/src/monitor/monitor_sbus.c /sssd-io/src/providers/ad/ad_access.c /sssd-io/src/providers/ad/ad_common.c /sssd-io/src/providers/ad/ad_domain_info.c /sssd-io/src/providers/ad/ad_dyndns.c /sssd-io/src/providers/ad/ad_id.c /sssd-io/src/providers/ad/ad_init.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/ad/ad_subdomains.c /sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/data_provider_callbacks.c /sssd-io/src/providers/data_provider_fo.c /sssd-io/src/providers/data_provider_opts.c /sssd-io/src/providers/dp_auth_util.c /sssd-io/src/providers/dp_dyndns.c /sssd-io/src/providers/dp_pam_data_util.c /sssd-io/src/providers/dp_ptask.c /sssd-io/src/providers/dp_refresh.c /sssd-io/src/providers/fail_over.c /sssd-io/src/providers/fail_over_srv.c ipa_access.c ipa_auth.c ipa_autofs.c ipa_common.c ipa_config.c ipa_dyndns.c ipa_hbac_common.c ipa_hbac_hosts.c ipa_hbac_rules.c ipa_hbac_services.c ipa_hbac_users.c ipa_hostid.c ipa_hosts.c ipa_id.c ipa_idmap.c ipa_init.c ipa_netgroups.c ipa_s2n_exop.c ipa_selinux.c ipa_selinux_maps.c ipa_srv.c ipa_subdomains.c ipa_subdomains_ext_groups.c ipa_subdomains_id.c ipa_sudo.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_become_user.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_common.c /sssd-io/src/providers/krb5/krb5_delayed_online_authentication.c /sssd-io/src/providers/krb5/krb5_init.c /sssd-io/src/providers/krb5/krb5_init_shared.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/krb5/krb5_utils.c /sssd-io/src/providers/krb5/krb5_wait_queue.c /sssd-io/src/providers/ldap/ldap_access.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/ldap_init.c /sssd-io/src/providers/ldap/sdap.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_connection.c /sssd-io/src/providers/ldap/sdap_async_enum.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_sudo_hostinfo.c /sssd-io/src/providers/ldap/sdap_async_sudo_timer.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/ldap/sdap_dyndns.c /sssd-io/src/providers/ldap/sdap_fd_events.c /sssd-io/src/providers/ldap/sdap_id_op.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_range.c /sssd-io/src/providers/ldap/sdap_refresh.c /sssd-io/src/providers/ldap/sdap_reinit.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/ldap/sdap_sudo_cache.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_child.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/proxy/proxy_init.c /sssd-io/src/providers/proxy/proxy_netgroup.c /sssd-io/src/providers/proxy/proxy_services.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/resolv/async_resolv.c /sssd-io/src/resolv/async_resolv_utils.c /sssd-io/src/responder/autofs/autofssrv.c /sssd-io/src/responder/autofs/autofssrv_cmd.c /sssd-io/src/responder/autofs/autofssrv_dp.c /sssd-io/src/responder/common/negcache.c /sssd-io/src/responder/common/responder_cmd.c /sssd-io/src/responder/common/responder_common.c /sssd-io/src/responder/common/responder_dp.c /sssd-io/src/responder/common/responder_get_domains.c /sssd-io/src/responder/nss/nsssrv.c /sssd-io/src/responder/nss/nsssrv_cmd.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/nss/nsssrv_netgroup.c /sssd-io/src/responder/nss/nsssrv_private.h /sssd-io/src/responder/nss/nsssrv_services.c /sssd-io/src/responder/pac/pacsrv.c /sssd-io/src/responder/pac/pacsrv_cmd.c /sssd-io/src/responder/pac/pacsrv_utils.c /sssd-io/src/responder/pam/pam_LOCAL_domain.c /sssd-io/src/responder/pam/pam_helpers.c /sssd-io/src/responder/pam/pamsrv.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/responder/pam/pamsrv_dp.c /sssd-io/src/responder/ssh/sshsrv.c /sssd-io/src/responder/ssh/sshsrv_cmd.c /sssd-io/src/responder/ssh/sshsrv_dp.c /sssd-io/src/responder/sudo/sudosrv.c /sssd-io/src/responder/sudo/sudosrv_cmd.c /sssd-io/src/responder/sudo/sudosrv_dp.c /sssd-io/src/responder/sudo/sudosrv_get_sudorules.c /sssd-io/src/responder/sudo/sudosrv_query.c /sssd-io/src/sbus/sbus_client.c /sssd-io/src/sbus/sssd_dbus_common.c /sssd-io/src/sbus/sssd_dbus_connection.c /sssd-io/src/sbus/sssd_dbus_server.c /sssd-io/src/sss_client/ssh/sss_ssh_authorizedkeys.c /sssd-io/src/sss_client/ssh/sss_ssh_knownhostsproxy.c /sssd-io/src/tests/auth-tests.c /sssd-io/src/tests/cmocka/test_dyndns.c /sssd-io/src/tests/cmocka/test_fqnames.c /sssd-io/src/tests/cmocka/test_nss_srv.c /sssd-io/src/tests/cmocka/test_utils.c /sssd-io/src/tests/common_dom.c /sssd-io/src/tests/common_tev.c /sssd-io/src/tests/debug-tests.c /sssd-io/src/tests/files-tests.c /sssd-io/src/tests/krb5_child-test.c /sssd-io/src/tests/resolv-tests.c /sssd-io/src/tests/simple_access-tests.c /sssd-io/src/tests/sysdb-tests.c /sssd-io/src/tests/sysdb_ssh-tests.c /sssd-io/src/tools/files.c /sssd-io/src/tools/selinux.c /sssd-io/src/tools/sss_cache.c /sssd-io/src/tools/sss_debuglevel.c /sssd-io/src/tools/sss_groupadd.c /sssd-io/src/tools/sss_groupdel.c /sssd-io/src/tools/sss_groupmod.c /sssd-io/src/tools/sss_groupshow.c /sssd-io/src/tools/sss_seed.c /sssd-io/src/tools/sss_sync_ops.c /sssd-io/src/tools/sss_useradd.c /sssd-io/src/tools/sss_userdel.c /sssd-io/src/tools/sss_usermod.c /sssd-io/src/tools/tools_mc_util.c /sssd-io/src/tools/tools_util.c /sssd-io/src/tools/tools_util.h /sssd-io/src/util/authtok.c /sssd-io/src/util/backup_file.c /sssd-io/src/util/check_and_open.c /sssd-io/src/util/child_common.c /sssd-io/src/util/crypto/libcrypto/crypto_base64.c /sssd-io/src/util/crypto/libcrypto/crypto_obfuscate.c /sssd-io/src/util/crypto/nss/nss_obfuscate.c /sssd-io/src/util/crypto/nss/nss_util.c /sssd-io/src/util/debug.c /sssd-io/src/util/domain_info_utils.c /sssd-io/src/util/find_uid.c /sssd-io/src/util/nscd.c /sssd-io/src/util/server.c /sssd-io/src/util/signal.c /sssd-io/src/util/sss_ini.c /sssd-io/src/util/sss_krb5.c /sssd-io/src/util/sss_krb5.h /sssd-io/src/util/sss_ldap.c /sssd-io/src/util/sss_nss.c /sssd-io/src/util/sss_selinux.c /sssd-io/src/util/sss_ssh.c /sssd-io/src/util/sss_tc_utf8.c /sssd-io/src/util/user_info_msg.c /sssd-io/src/util/usertools.c /sssd-io/src/util/util.c /sssd-io/src/util/util.h /sssd-io/src/util/util_lock.c /sssd-io/src/util/well_known_sids.c
c0d1eaeed0bc267fd395ee151a7e0f9f50cb7300 27-Nov-2013 Lukas Slebodnik <lslebodn@redhat.com>

Remove unused parameter from sss_selinux_extract_user
e2ac9be4f293b96f3c8992f1171e44bc1da5cfca 15-Nov-2013 Michal Zidek <mzidek@redhat.com>

SYSDB: Drop redundant sysdb_ctx parameter from sysdb.c
17759fc794c22898d1db609b736fbcd77536d150 15-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Drop the sysdb_ctx parameter from SELinux functions
7a1a56860993475d0025e7411547649abf09d32c 15-Nov-2013 Jakub Hrozek <jhrozek@redhat.com>

Merge ipa_selinux_common.c and ipa_selinux.c Moved unused functions and merged ipa_selinux_common.c into ipa_selinux.c
0e65abe5cf2abf5d4b431cf6bd161b419f07901d 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: size_t

/sssd-io/src/db/sysdb_autofs.c /sssd-io/src/db/sysdb_ops.c /sssd-io/src/db/sysdb_search.c /sssd-io/src/providers/ad/ad_srv.c /sssd-io/src/providers/fail_over_srv.c ipa_config.c ipa_idmap.c ipa_netgroups.c ipa_selinux.c ipa_selinux_maps.c ipa_srv.c ipa_subdomains_ext_groups.c /sssd-io/src/providers/krb5/krb5_child.c /sssd-io/src/providers/krb5/krb5_child_handler.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_child.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/sdap_access.c /sssd-io/src/providers/ldap/sdap_async_autofs.c /sssd-io/src/providers/ldap/sdap_async_groups.c /sssd-io/src/providers/ldap/sdap_async_groups_ad.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_initgroups_ad.c /sssd-io/src/providers/ldap/sdap_async_nested_groups.c /sssd-io/src/providers/ldap/sdap_async_netgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_async_users.c /sssd-io/src/providers/ldap/sdap_child_helpers.c /sssd-io/src/providers/simple/simple_access_check.c /sssd-io/src/responder/nss/nsssrv_mmap_cache.c /sssd-io/src/responder/pam/pamsrv_cmd.c /sssd-io/src/util/child_common.c
71e234151ddc6b50576364c30bda2b72264b1083 11-Sep-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix formating of variables with type: ssize_t
dcb44c39dda9699cdd6488fd116a51ced0687de3 07-Jun-2013 Jakub Hrozek <jhrozek@redhat.com>

LDAP: sdap_id_ctx might contain several connections With some LDAP server implementations, one server might provide different "views" of the identites on different ports. One example is the Active Directory Global catalog. The provider would contact different view depending on which operation it is performing and against which SSSD domain. At the same time, these views run on the same server, which means the same server options, enumeration, cleanup or Kerberos service should be used. So instead of using several different failover ports or several instances of sdap_id_ctx, this patch introduces a new "struct sdap_id_conn_ctx" that contains the connection cache to the particular view and an instance of "struct sdap_options" that contains the URI. No functional changes are present in this patch, currently all providers use a single connection. Multiple connections will be used later in the upcoming patches.
39472b5dfcc82815ae819a5b5831859249962a4c 14-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fix broken build with selinux. Header file selinux/selinux.h was removed in commit 245cc346 from file ipa_selinux.c, because it breaks build without selinux. But new error was introduced. This patch fixes compilation with selinux and include header file selinux/selinux.h only if both macros exist HAVE_SELINUX and HAVE_SELINUX_LOGIN_DIR. Now ipa_selinux.c should be correctly built with and without selinux.
245cc346966b02aa032de092ff8910420e8305fa 13-May-2013 Lukas Slebodnik <lslebodn@redhat.com>

Fixes compilation without selinux. Compilation fail if ./configure is called with arguments --with-selinux --with-semanage and selinux header files are not installed. We didn't not catch this in fedora, because krb5-devel depends on libselinux-devel, but other distribution can package it differently. And API from selinux.h is not used in file ipa_selinux.c
313119612112b7ba97d9467277e8981d765b1eba 29-Apr-2013 Jakub Hrozek <jhrozek@redhat.com>

selinux: if no domain matches, make the debug message louder
b1829e54acbc8a010aca7f14b9ffa9625f8c102c 29-Apr-2013 Sumit Bose <sbose@redhat.com>

Make IPA SELinux provider aware of subdomain users Fixes https://fedorahosted.org/sssd/ticket/1892
78eba1cdd8e337d07b536afd9d6043482c88208e 27-Mar-2013 Jakub Hrozek <jhrozek@redhat.com>

selinux: Remove unused parameter https://fedorahosted.org/sssd/ticket/1848
ba4378f49914e65a7d687a872d9b938173841154 19-Mar-2013 Michal Zidek <mzidek@redhat.com>

Make the SELinux refresh time configurable. Option ipa_selinux_refresh is added to basic ipa options.
2ff2a7469ef0b23b3feb418f3ecfa8cfbfa2239c 19-Mar-2013 Michal Zidek <mzidek@redhat.com>

Reuse cached SELinux mappings. Reuse cached SELinux maps when they are requested within time interval (in this patch it is hardcoded to be 5 seconds). https://fedorahosted.org/sssd/ticket/1744
b42bb7d9dbf9a4c44a03e7bf1bab471a8a85e858 19-Mar-2013 Michal Zidek <mzidek@redhat.com>

Move SELinux processing to provider. The SELinux processing was distributed between provider and pam responder which resulted in hard to maintain code. This patch moves the logic to provider. IT ALSO REQUIRES CHANGE IN THE SELINUX POLICY, because the provider also writes the content of selinux login file to disk (which was done by responder before). https://fedorahosted.org/sssd/ticket/1743
cbaba2f47da96c4191971bce86f03afb3f88864a 21-Jan-2013 Simo Sorce <simo@redhat.com>

Add be_req_get_data() helper funciton. In preparation for making struct be_req opaque.
03abdaa21ecf562b714f204ca42379ff08626f75 21-Jan-2013 Simo Sorce <simo@redhat.com>

Add be_req_get_be_ctx() helper. In preparation for making be_req opaque
8e5549e453558d4bebdec333a93e215d5d6ffaec 21-Jan-2013 Simo Sorce <simo@redhat.com>

Introduce be_req_terminate() helper Call it everywhere instead of directly dereferencing be_req->fn This is in preparation of making be_req opaque.
ccc2af010bbbe6d8a7496fb717216135bc4c1993 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove domain from be_req structure
28c0e7ebc857bf488bbc043c9574de6abc1efea7 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb argument from hbac_get_cached_rules()
d34961fdcf5a999d9debee3d1d8e255457798295 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb argument from ipa_host_info_send()
24b715f096613d18f182cf0fff537e1fc79647fa 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb as a be request structure member The sysdb context is already available through the 'domain' context.
df0596ec12bc5091608371e2977f3111241e8caf 21-Jan-2013 Simo Sorce <simo@redhat.com>

Remove sysdb as a be context structure member The sysdb context is already available through the 'domain' structure.

/sssd-io/src/providers/data_provider_be.c /sssd-io/src/providers/dp_backend.h ipa_auth.c ipa_hostid.c ipa_id.c ipa_selinux.c ipa_subdomains.c /sssd-io/src/providers/krb5/krb5_access.c /sssd-io/src/providers/krb5/krb5_auth.c /sssd-io/src/providers/krb5/krb5_renew_tgt.c /sssd-io/src/providers/ldap/ldap_auth.c /sssd-io/src/providers/ldap/ldap_common.c /sssd-io/src/providers/ldap/ldap_id.c /sssd-io/src/providers/ldap/ldap_id_cleanup.c /sssd-io/src/providers/ldap/ldap_id_enum.c /sssd-io/src/providers/ldap/ldap_id_netgroup.c /sssd-io/src/providers/ldap/ldap_id_services.c /sssd-io/src/providers/ldap/sdap_async_initgroups.c /sssd-io/src/providers/ldap/sdap_async_services.c /sssd-io/src/providers/ldap/sdap_async_sudo.c /sssd-io/src/providers/ldap/sdap_autofs.c /sssd-io/src/providers/ldap/sdap_idmap.c /sssd-io/src/providers/ldap/sdap_sudo.c /sssd-io/src/providers/proxy/proxy_auth.c /sssd-io/src/providers/proxy/proxy_id.c /sssd-io/src/providers/simple/simple_access.c /sssd-io/src/providers/simple/simple_access.h
740870643f337ce70d85f25f9ed057cd1f91028c 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb selinux functions
770896b194b7b66b09c2a30545b4d091fd86b1f4 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain argument to sysdb_search_custom() Also changes sysdb_search_custom_by_name()
2ce00e0d3896bb42db169d1e79553a81ca837a22 15-Jan-2013 Simo Sorce <simo@redhat.com>

Add domain to sysdb_search_user_by_name() Also remove unused sysdb_search_domuser_by_name()
de526c8425886ca3bed8f07a0f092ba5ac325654 15-Jan-2013 Simo Sorce <simo@redhat.com>

Make sysdb_custom_dn() require a domain.
fa0dba8f5536537a69d47218f2372d0f2582c12e 08-Jan-2013 Jakub Hrozek <jhrozek@redhat.com>

IPA: Rename IPA_CONFIG_SELINUX_DEFAULT_MAP It is not a map, but a default context. The name should reflect that.
a004ce714c20a7a5324393ea47f5dc115eb20713 08-Jan-2013 Jakub Hrozek <jhrozek@redhat.com>

SELINUX: Process maps even when offline Changes the ipa_get_selinux{send,recv} request so that it only delivers data and moves processing to the IPA selinux handler.
95f5e7963a36b7b68859ce91ae4b232088bbaa09 24-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

SYSDB: Remove unnecessary domain parameter from several sysdb calls The domain can be read from the sysdb object. Removing the domain string makes the API more self-contained.
ebb1f28998c06984765e3e78d30911c1c3ec84e2 13-Sep-2012 Jakub Hrozek <jhrozek@redhat.com>

SELinux: Always use the default if it exists on the server https://fedorahosted.org/sssd/ticket/1513 This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045 During an e-mail discussion, it was decided that * if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether
21d485184df986e1a123f70c689517386e51a5ce 23-Aug-2012 Michal Zidek <mzidek@redhat.com>

Unify usage of sysdb transactions Removing bad examples of usage of sysdb_transaction_start/commit/end functions and making it more consistent (all files except of src/db/sysdb_*.c).
679a0abefcb838484a7e7278056da0f2524963c1 31-Jul-2012 Jan Zeleny <jzeleny@redhat.com>

Support fetching of host from sysdb in SELinux code The host record will be fetched if HBAC is used as access provider since the record is already downloaded and it can be trusted to be valid.
95d170adf00b15dd9863a82eb22837409ab69bf0 31-Jul-2012 Jan Zeleny <jzeleny@redhat.com>

Support fetching of HBAC rules from sysdb in SELinux code If HBAC is active, SELinux code will reuse them instead of downloading them from the server again.
38e2ec1c757955ab557fd95807afa58042d09482 27-Jul-2012 Jan Zeleny <jzeleny@redhat.com>

Renamed session provider to selinux provider