src/db/sysdb_selinux.c

	sysdb_selinux.c revision 4c11f752e1f10cf5740d53a3206bb795e9e34fe8
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/*
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   SSSD
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   System Database - SELinux support
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   Copyright (C) Jan Zeleny <jzeleny@redhat.com>    2012
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   This program is free software; you can redistribute it and/or modify
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   it under the terms of the GNU General Public License as published by
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   the Free Software Foundation; either version 3 of the License, or
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   (at your option) any later version.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   This program is distributed in the hope that it will be useful,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   but WITHOUT ANY WARRANTY; without even the implied warranty of
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   GNU General Public License for more details.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   You should have received a copy of the GNU General Public License
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen   along with this program.  If not, see <http://www.gnu.org/licenses/>.
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen*/
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "util/sss_selinux.h"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "db/sysdb_selinux.h"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen#include "db/sysdb_private.h"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/* Some generic routines */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenstatic errno_t get_rm_msg(TALLOC_CTX *mem_ctx,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                          struct ldb_message *old_msg,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                          struct sysdb_attrs *new_attrs,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                          struct ldb_message **_msg)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message *rm_msg;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *tmp_str;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    int i;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    rm_msg = ldb_msg_new(mem_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (rm_msg == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    rm_msg->dn = old_msg->dn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    rm_msg->elements = talloc_zero_array(rm_msg, struct ldb_message_element,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                         old_msg->num_elements);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    rm_msg->num_elements = 0;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    for (i = 0; i < old_msg->num_elements; i++) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = sysdb_attrs_get_string(new_attrs, old_msg->elements[i].name, &tmp_str);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        if (ret != ENOENT) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            continue;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        rm_msg->elements[rm_msg->num_elements] = old_msg->elements[i];
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        rm_msg->elements[rm_msg->num_elements].flags = LDB_FLAG_MOD_DELETE;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        rm_msg->num_elements++;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        talloc_free(rm_msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    } else {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        *_msg = rm_msg;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenstatic errno_t
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainensysdb_add_selinux_entity(struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                         struct ldb_dn *dn,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                         const char *objectclass,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                         struct sysdb_attrs *attrs,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                         time_t now)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message *msg;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    TALLOC_CTX *tmp_ctx;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_ctx = talloc_new(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!tmp_ctx) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    msg = ldb_msg_new(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!msg) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, objectclass);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_OP_FAILURE, ("Could not set map object class [%d]: %s\n",
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen              ret, strerror(ret)));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!now) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        now = time(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, now);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    msg->dn = dn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    msg->elements = attrs->a;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    msg->num_elements = attrs->num;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = ldb_add(sysdb->ldb, msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_error_to_errno(ret);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_TRACE_LIBS, ("Error: %d (%s)\n", ret, strerror(ret)));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_zfree(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenstatic errno_t sysdb_store_selinux_entity(struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                          struct sysdb_attrs *attrs,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                          enum selinux_entity_type type)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    TALLOC_CTX *tmp_ctx;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message *msg;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message *rm_msg;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    bool in_transaction = false;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *objectclass;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *name;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    char *clean_name;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_dn *dn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t sret = EOK;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    time_t now;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_ctx = talloc_new(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!tmp_ctx) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    switch (type) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        case SELINUX_USER_MAP:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            objectclass = SYSDB_SELINUX_USERMAP_CLASS;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            ret = sysdb_attrs_get_string(attrs, SYSDB_NAME, &name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            ret = sysdb_dn_sanitize(tmp_ctx, name, &clean_name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                clean_name, sysdb->domain->name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            break;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        case SELINUX_CONFIG:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            objectclass = SYSDB_SELINUX_CLASS;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                sysdb->domain->name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            break;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (type != SELINUX_CONFIG && type != SELINUX_USER_MAP) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_CRIT_FAILURE, ("Bad SELinux entity type: [%d]\n", type));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = EINVAL;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!dn) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_transaction_start(sysdb);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    in_transaction = true;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    now = time(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (type == SELINUX_CONFIG) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = sysdb_search_selinux_config(tmp_ctx, sysdb, NULL, &msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    } else if (type == SELINUX_USER_MAP) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = sysdb_search_selinux_usermap_by_mapname(tmp_ctx, sysdb, name,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                      NULL, &msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret && ret != ENOENT) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret == ENOENT) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = sysdb_add_selinux_entity(sysdb, dn, objectclass, attrs, now);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_set_entry_attr(sysdb, dn, attrs, SYSDB_MOD_REP);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    /* Now delete attributes which are no longer present */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = get_rm_msg(tmp_ctx, msg, attrs, &rm_msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (rm_msg->num_elements > 0) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ldb_modify(sysdb->ldb, rm_msg);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (in_transaction) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        if (ret == EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            sret = sysdb_transaction_commit(sysdb);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            if (sret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        if (ret != EOK || sret != EOK){
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            sret = sysdb_transaction_cancel(sysdb);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            if (sret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n"));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_MINOR_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret)));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_zfree(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t sysdb_store_selinux_usermap(struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                    struct sysdb_attrs *attrs)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return sysdb_store_selinux_entity(sysdb, attrs, SELINUX_USER_MAP);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                   const char *default_user,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                   const char *order)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct sysdb_attrs *attrs;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    attrs = talloc_zero(NULL, struct sysdb_attrs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (attrs == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                 default_user);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_ORDER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                 order);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret =  sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_free(attrs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen/* --- SYSDB SELinux search routines --- */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                const char *name,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                const char **attrs,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                struct ldb_message **_usermap)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    TALLOC_CTX *tmp_ctx;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *def_attrs[] = { SYSDB_NAME,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_USER_CATEGORY,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_HOST_CATEGORY,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_ORIG_MEMBER_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_ORIG_MEMBER_HOST,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_SELINUX_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                NULL };
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message **msgs = NULL;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_dn *basedn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    size_t msgs_count = 0;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    char *clean_name;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    int ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_ctx = talloc_new(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!tmp_ctx) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_dn_sanitize(tmp_ctx, name, &clean_name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            clean_name, sysdb->domain->name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!basedn) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_BASE, NULL,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                             attrs?attrs:def_attrs, &msgs_count, &msgs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    *_usermap = talloc_steal(mem_ctx, msgs[0]);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret == ENOENT) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_TRACE_FUNC, ("No such entry\n"));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    else if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_TRACE_FUNC, ("Error: %d (%s)\n", ret, strerror(ret)));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_zfree(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                 struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                 const char *username,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                                 struct ldb_message ***_usermaps)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    TALLOC_CTX *tmp_ctx;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *attrs[] = { SYSDB_NAME,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_USER_CATEGORY,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_HOST_CATEGORY,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_ORIG_MEMBER_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_ORIG_MEMBER_HOST,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_SELINUX_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            NULL };
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message **msgs = NULL;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct sysdb_attrs *user;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct sysdb_attrs *tmp_attrs;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message **usermaps;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct sss_domain_info *domain;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_dn *basedn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    size_t msgs_count = 0;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    size_t usermaps_cnt;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    char *filter;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    int i;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_ctx = talloc_new(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!tmp_ctx) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    /* Now extract user attributes */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sss_selinux_extract_user(tmp_ctx, sysdb, username, &user);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret != EOK) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    /* Now extract all SELinux user maps */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    domain = sysdb_ctx_get_domain(sysdb);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(sysdb),
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            SYSDB_TMPL_SELINUX_BASE, domain->name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!basedn) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    filter = talloc_asprintf(tmp_ctx, "(objectclass=%s)", SYSDB_SELINUX_USERMAP_CLASS);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (filter == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_SUBTREE, filter,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                             attrs, &msgs_count, &msgs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    /* Now filter those that match */
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (tmp_attrs == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    usermaps = talloc_zero_array(tmp_ctx, struct ldb_message *, msgs_count + 1);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (usermaps == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    usermaps_cnt = 0;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    for (i = 0; i < msgs_count; i++) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        tmp_attrs->a = msgs[i]->elements;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        tmp_attrs->num = msgs[i]->num_elements;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        if (sss_selinux_match(tmp_attrs, user, NULL)) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            usermaps[usermaps_cnt] = talloc_steal(usermaps, msgs[i]);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            usermaps_cnt++;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        } else {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen            talloc_zfree(msgs[i]);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (usermaps[0] == NULL) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOENT;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    *_usermaps = talloc_steal(mem_ctx, usermaps);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_zfree(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenerrno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                    struct sysdb_ctx *sysdb,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                    const char **attrs,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                    struct ldb_message **_config)
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen{
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    TALLOC_CTX *tmp_ctx;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    const char *def_attrs[] = { SYSDB_SELINUX_DEFAULT_USER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                SYSDB_SELINUX_DEFAULT_ORDER,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                                NULL };
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_message **msgs;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    size_t msgs_count;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    struct ldb_dn *basedn;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    errno_t ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    tmp_ctx = talloc_new(NULL);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!tmp_ctx) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        return ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                            sysdb->domain->name);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (!basedn) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        ret = ENOMEM;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_BASE, NULL,
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen                             attrs?attrs:def_attrs, &msgs_count, &msgs);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        goto done;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    *_config = talloc_steal(mem_ctx, msgs[0]);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendone:
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    if (ret == ENOENT) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_TRACE_FUNC, ("No SELinux root entry found\n"));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    } else if (ret) {
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen        DEBUG(SSSDBG_TRACE_FUNC, ("Error: %d (%s)\n", ret, strerror(ret)));
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    }
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    talloc_free(tmp_ctx);
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen    return ret;
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen}
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen