sysdb_selinux.c revision ecfd767c65c39414a86937380b9986c6d2e0aecf
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny System Database - SELinux support
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny Copyright (C) Jan Zeleny <jzeleny@redhat.com> 2012
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny This program is free software; you can redistribute it and/or modify
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny it under the terms of the GNU General Public License as published by
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny the Free Software Foundation; either version 3 of the License, or
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny (at your option) any later version.
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny This program is distributed in the hope that it will be useful,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny but WITHOUT ANY WARRANTY; without even the implied warranty of
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny GNU General Public License for more details.
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny You should have received a copy of the GNU General Public License
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny along with this program. If not, see <http://www.gnu.org/licenses/>.
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny/* Some generic routines */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny rm_msg->elements = talloc_zero_array(rm_msg, struct ldb_message_element,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_get_string(new_attrs, old_msg->elements[i].name, &tmp_str);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny rm_msg->elements[rm_msg->num_elements] = old_msg->elements[i];
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny rm_msg->elements[rm_msg->num_elements].flags = LDB_FLAG_MOD_DELETE;
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_add_string(attrs, SYSDB_OBJECTCLASS, objectclass);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_OP_FAILURE, ("Could not set map object class [%d]: %s\n",
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_add_time_t(attrs, SYSDB_CREATE_TIME, now);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_TRACE_LIBS, ("Error: %d (%s)\n", ret, strerror(ret)));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenystatic errno_t sysdb_store_selinux_entity(struct sysdb_ctx *sysdb,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char *name;
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_get_string(attrs, SYSDB_NAME, &name);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_dn_sanitize(tmp_ctx, name, &clean_name);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny dn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny if (type != SELINUX_CONFIG && type != SELINUX_USER_MAP) {
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_CRIT_FAILURE, ("Bad SELinux entity type: [%d]\n", type));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_add_time_t(attrs, SYSDB_LAST_UPDATE, now);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_search_selinux_config(tmp_ctx, sysdb, NULL, &msg);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_search_selinux_usermap_by_mapname(tmp_ctx, sysdb, name,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_add_selinux_entity(sysdb, dn, objectclass, attrs, now);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_set_entry_attr(sysdb, dn, attrs, SYSDB_MOD_REP);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny /* Now delete attributes which are no longer present */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_OP_FAILURE, ("Could not commit transaction\n"));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_OP_FAILURE, ("Could not cancel transaction\n"));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_MINOR_FAILURE, ("Error: %d (%s)\n", ret, strerror(ret)));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenyerrno_t sysdb_store_selinux_usermap(struct sysdb_ctx *sysdb,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny return sysdb_store_selinux_entity(sysdb, attrs, SELINUX_USER_MAP);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenyerrno_t sysdb_store_selinux_config(struct sysdb_ctx *sysdb,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char *order)
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_USER,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_attrs_add_string(attrs, SYSDB_SELINUX_DEFAULT_ORDER,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_store_selinux_entity(sysdb, attrs, SELINUX_CONFIG);
ecfd767c65c39414a86937380b9986c6d2e0aecfJakub Hrozekerrno_t sysdb_delete_usermaps(struct sysdb_ctx *sysdb)
ecfd767c65c39414a86937380b9986c6d2e0aecfJakub Hrozek DEBUG(SSSDBG_CRIT_FAILURE, ("sysdb_delete_recursive failed.\n"));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny/* --- SYSDB SELinux search routines --- */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenyerrno_t sysdb_search_selinux_usermap_by_mapname(TALLOC_CTX *mem_ctx,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char *name,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char **attrs,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_dn_sanitize(tmp_ctx, name, &clean_name);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SEUSERMAP,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_BASE, NULL,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_TRACE_FUNC, ("Error: %d (%s)\n", ret, strerror(ret)));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenyerrno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny /* Now extract user attributes */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sss_selinux_extract_user(tmp_ctx, sysdb, username, &user);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny /* Now extract all SELinux user maps */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny basedn = ldb_dn_new_fmt(tmp_ctx, sysdb_ctx_get_ldb(sysdb),
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny filter = talloc_asprintf(tmp_ctx, "(objectclass=%s)", SYSDB_SELINUX_USERMAP_CLASS);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_SUBTREE, filter,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny /* Now filter those that match */
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny tmp_attrs = talloc_zero(tmp_ctx, struct sysdb_attrs);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny usermaps = talloc_zero_array(tmp_ctx, struct ldb_message *, msgs_count + 1);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny for (i = 0; i < msgs_count; i++) {
1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47Jan Zeleny if (sss_selinux_match(tmp_attrs, user, NULL, &priority)) {
1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47Jan Zeleny /* Now figure out host priority */
1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47Jan Zeleny /* This rule has lower priority than what we already have,
1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47Jan Zeleny * skip it */
1a3e6221b38a7cae27d7e84a30bb8ea3c3900a47Jan Zeleny /* If the rule has higher priority, drop what we already
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny usermaps[usermaps_cnt] = talloc_steal(usermaps, msgs[i]);
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zelenyerrno_t sysdb_search_selinux_config(TALLOC_CTX *mem_ctx,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char **attrs,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny const char *def_attrs[] = { SYSDB_SELINUX_DEFAULT_USER,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny basedn = ldb_dn_new_fmt(tmp_ctx, sysdb->ldb, SYSDB_TMPL_SELINUX_BASE,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny ret = sysdb_search_entry(tmp_ctx, sysdb, basedn, LDB_SCOPE_BASE, NULL,
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_TRACE_FUNC, ("No SELinux root entry found\n"));
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny } else if (ret) {
4c11f752e1f10cf5740d53a3206bb795e9e34fe8Jan Zeleny DEBUG(SSSDBG_TRACE_FUNC, ("Error: %d (%s)\n", ret, strerror(ret)));