New upstream release 1.9.0 RC1
This commit is contained in:
parent
586ea1b402
commit
6cde68d41f
1
.gitignore
vendored
1
.gitignore
vendored
@ -35,3 +35,4 @@ sssd-1.2.91.tar.gz
|
|||||||
/sssd-1.9.0beta5.tar.gz
|
/sssd-1.9.0beta5.tar.gz
|
||||||
/sssd-1.9.0beta6.tar.gz
|
/sssd-1.9.0beta6.tar.gz
|
||||||
/sssd-1.9.0beta7.tar.gz
|
/sssd-1.9.0beta7.tar.gz
|
||||||
|
/sssd-1.9.0rc1.tar.gz
|
||||||
|
@ -1,24 +0,0 @@
|
|||||||
From ffcf27b0b773b580289d596f796aaf86c45ba920 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Wed, 8 Aug 2012 19:26:35 +0200
|
|
||||||
Subject: [PATCH] Abort PAM access phase if HBAC does not return PAM_SUCCESS
|
|
||||||
|
|
||||||
---
|
|
||||||
src/providers/data_provider_be.c | 1 +
|
|
||||||
1 file changed, 1 insertion(+)
|
|
||||||
|
|
||||||
diff --git a/src/providers/data_provider_be.c b/src/providers/data_provider_be.c
|
|
||||||
index 2e4ee0754e62a48248cc7537243705b3a1004502..dcce69ca42fe4b8f216a69a6877e0aeaf20872cc 100644
|
|
||||||
--- a/src/providers/data_provider_be.c
|
|
||||||
+++ b/src/providers/data_provider_be.c
|
|
||||||
@@ -793,6 +793,7 @@ static void be_pam_handler_callback(struct be_req *req,
|
|
||||||
pd = talloc_get_type(req->req_data, struct pam_data);
|
|
||||||
|
|
||||||
if (pd->cmd == SSS_PAM_ACCT_MGMT &&
|
|
||||||
+ pd->pam_status == PAM_SUCCESS &&
|
|
||||||
req->phase == REQ_PHASE_ACCESS &&
|
|
||||||
dp_err_type == DP_ERR_OK) {
|
|
||||||
if (!becli->bectx->bet_info[BET_SELINUX].bet_ops) {
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
@ -1,44 +0,0 @@
|
|||||||
From 79402313dc0d7f854b4334dd427e03b7baf0b9db Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Sun, 5 Aug 2012 22:03:11 +0200
|
|
||||||
Subject: [PATCH 1/2] Do not try to remove the temp login file if already
|
|
||||||
renamed
|
|
||||||
|
|
||||||
write_selinux_string() would try to unlink the temporary file even after
|
|
||||||
it was renamed. Failure to unlink the file would not be fatal, but would
|
|
||||||
produce a confusing error message.
|
|
||||||
|
|
||||||
Also don't use "0" for the default fd number, that's reserved for stdin.
|
|
||||||
Using -1 is safer.
|
|
||||||
---
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 5 +++--
|
|
||||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 8c9dd9b557982e04989bf9e63fd93ea294979252..944845a86dfa8166367029e6f7bddc478e5ebd03 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -366,7 +366,7 @@ static errno_t write_selinux_string(const char *username, char *string)
|
|
||||||
char *tmp_path = NULL;
|
|
||||||
ssize_t written;
|
|
||||||
int len;
|
|
||||||
- int fd = 0;
|
|
||||||
+ int fd = -1;
|
|
||||||
mode_t oldmask;
|
|
||||||
TALLOC_CTX *tmp_ctx;
|
|
||||||
char *full_string = NULL;
|
|
||||||
@@ -437,9 +437,10 @@ static errno_t write_selinux_string(const char *username, char *string)
|
|
||||||
} else {
|
|
||||||
ret = EOK;
|
|
||||||
}
|
|
||||||
+ fd = -1;
|
|
||||||
|
|
||||||
done:
|
|
||||||
- if (fd > 0) {
|
|
||||||
+ if (fd != -1) {
|
|
||||||
close(fd);
|
|
||||||
if (unlink(tmp_path) < 0) {
|
|
||||||
DEBUG(SSSDBG_MINOR_FAILURE, ("Could not remove file [%s]",
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
@ -1,223 +0,0 @@
|
|||||||
From f004e23af14fe020d81b8f97f30b448105b79606 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Jakub Hrozek <jhrozek@redhat.com>
|
|
||||||
Date: Sun, 5 Aug 2012 22:37:09 +0200
|
|
||||||
Subject: [PATCH 2/2] Only create the SELinux login file if there are mappings
|
|
||||||
on the server
|
|
||||||
|
|
||||||
https://fedorahosted.org/sssd/ticket/1455
|
|
||||||
|
|
||||||
In case there are no rules on the IPA server, we must simply avoid generating
|
|
||||||
the login file. That would make us fall back to the system-wide default
|
|
||||||
defined in /etc/selinux/targeted/seusers.
|
|
||||||
|
|
||||||
The IPA default must be only used if there *are* rules on the server,
|
|
||||||
but none matches.
|
|
||||||
---
|
|
||||||
src/db/sysdb_selinux.c | 7 +--
|
|
||||||
src/responder/pam/pamsrv_cmd.c | 120 ++++++++++++++++++++++++++---------------
|
|
||||||
2 files changed, 77 insertions(+), 50 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/db/sysdb_selinux.c b/src/db/sysdb_selinux.c
|
|
||||||
index eaf07b50a4435b11f937473e37c708edc6e2e0eb..976489503e0995b7e025146c23a7f4e7874c1643 100644
|
|
||||||
--- a/src/db/sysdb_selinux.c
|
|
||||||
+++ b/src/db/sysdb_selinux.c
|
|
||||||
@@ -364,7 +364,7 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
|
|
||||||
struct ldb_message **msgs = NULL;
|
|
||||||
struct sysdb_attrs *user;
|
|
||||||
struct sysdb_attrs *tmp_attrs;
|
|
||||||
- struct ldb_message **usermaps;
|
|
||||||
+ struct ldb_message **usermaps = NULL;
|
|
||||||
struct sss_domain_info *domain;
|
|
||||||
struct ldb_dn *basedn;
|
|
||||||
size_t msgs_count = 0;
|
|
||||||
@@ -462,11 +462,6 @@ errno_t sysdb_search_selinux_usermap_by_username(TALLOC_CTX *mem_ctx,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (usermaps[0] == NULL) {
|
|
||||||
- ret = ENOENT;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
*_usermaps = talloc_steal(mem_ctx, usermaps);
|
|
||||||
|
|
||||||
ret = EOK;
|
|
||||||
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
index 944845a86dfa8166367029e6f7bddc478e5ebd03..238b4fa7feee666e3419eae55c4952e45fd7184c 100644
|
|
||||||
--- a/src/responder/pam/pamsrv_cmd.c
|
|
||||||
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
||||||
@@ -359,8 +359,10 @@ fail:
|
|
||||||
#ifdef HAVE_SELINUX
|
|
||||||
|
|
||||||
#define ALL_SERVICES "*"
|
|
||||||
+#define selogin_path(mem_ctx, username) \
|
|
||||||
+ talloc_asprintf(mem_ctx, "%s/logins/%s", selinux_policy_root(), username)
|
|
||||||
|
|
||||||
-static errno_t write_selinux_string(const char *username, char *string)
|
|
||||||
+static errno_t write_selinux_login_file(const char *username, char *string)
|
|
||||||
{
|
|
||||||
char *path = NULL;
|
|
||||||
char *tmp_path = NULL;
|
|
||||||
@@ -383,8 +385,7 @@ static errno_t write_selinux_string(const char *username, char *string)
|
|
||||||
return ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
- path = talloc_asprintf(tmp_ctx, "%s/logins/%s", selinux_policy_root(),
|
|
||||||
- username);
|
|
||||||
+ path = selogin_path(tmp_ctx, username);
|
|
||||||
if (path == NULL) {
|
|
||||||
ret = ENOMEM;
|
|
||||||
goto done;
|
|
||||||
@@ -452,7 +453,33 @@ done:
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
|
|
||||||
-static errno_t get_selinux_string(struct pam_auth_req *preq)
|
|
||||||
+static errno_t remove_selinux_login_file(const char *username)
|
|
||||||
+{
|
|
||||||
+ char *path;
|
|
||||||
+ errno_t ret;
|
|
||||||
+
|
|
||||||
+ path = selogin_path(NULL, username);
|
|
||||||
+ if (!path) return ENOMEM;
|
|
||||||
+
|
|
||||||
+ errno = 0;
|
|
||||||
+ ret = unlink(path);
|
|
||||||
+ if (ret < 0) {
|
|
||||||
+ ret = errno;
|
|
||||||
+ if (ret == ENOENT) {
|
|
||||||
+ /* Just return success if the file was not there */
|
|
||||||
+ ret = EOK;
|
|
||||||
+ } else {
|
|
||||||
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
||||||
+ ("Could not remove login file %s [%d]: %s\n",
|
|
||||||
+ path, ret, strerror(ret)));
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ talloc_free(path);
|
|
||||||
+ return ret;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+static errno_t process_selinux_mappings(struct pam_auth_req *preq)
|
|
||||||
{
|
|
||||||
struct sysdb_ctx *sysdb;
|
|
||||||
TALLOC_CTX *tmp_ctx;
|
|
||||||
@@ -464,7 +491,7 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
|
|
||||||
const char *tmp_str;
|
|
||||||
char *order = NULL;
|
|
||||||
char **order_array;
|
|
||||||
- errno_t ret;
|
|
||||||
+ errno_t ret, err;
|
|
||||||
int i, j;
|
|
||||||
size_t order_count;
|
|
||||||
size_t len = 0;
|
|
||||||
@@ -550,53 +577,58 @@ static errno_t get_selinux_string(struct pam_auth_req *preq)
|
|
||||||
&usermaps);
|
|
||||||
if (ret != EOK && ret != ENOENT) {
|
|
||||||
goto done;
|
|
||||||
+ } else if (ret == ENOENT) {
|
|
||||||
+ DEBUG(SSSDBG_TRACE_FUNC, ("No maps defined on the server\n"));
|
|
||||||
+ ret = EOK;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (ret == ENOENT) {
|
|
||||||
- DEBUG(SSSDBG_TRACE_FUNC, ("No user maps found, using default!"));
|
|
||||||
- file_content = talloc_strdup(tmp_ctx, default_user);
|
|
||||||
- if (file_content == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- } else {
|
|
||||||
- /* Iterate through the order array and try to find SELinux users
|
|
||||||
- * in fetched maps. The order array contains all SELinux users
|
|
||||||
- * allowed in the domain in the same order they should appear
|
|
||||||
- * in the SELinux config file. If any user from the order array
|
|
||||||
- * is not in fetched user maps, it means it should not be allowed
|
|
||||||
- * for the user who is just logging in.
|
|
||||||
- *
|
|
||||||
- * Right now we have empty content of the SELinux config file,
|
|
||||||
- * we shall add only those SELinux users that are present both in
|
|
||||||
- * the order array and user maps applicable to the user who is
|
|
||||||
- * logging in.
|
|
||||||
- */
|
|
||||||
- for (i = 0; i < order_count; i++) {
|
|
||||||
- for (j = 0; usermaps[j] != NULL; j++) {
|
|
||||||
- tmp_str = sss_selinux_map_get_seuser(usermaps[j]);
|
|
||||||
+ /* If no maps match, we'll use the default SELinux user from the
|
|
||||||
+ * config */
|
|
||||||
+ file_content = talloc_strdup(tmp_ctx, default_user);
|
|
||||||
+ if (file_content == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Iterate through the order array and try to find SELinux users
|
|
||||||
+ * in fetched maps. The order array contains all SELinux users
|
|
||||||
+ * allowed in the domain in the same order they should appear
|
|
||||||
+ * in the SELinux config file. If any user from the order array
|
|
||||||
+ * is not in fetched user maps, it means it should not be allowed
|
|
||||||
+ * for the user who is just logging in.
|
|
||||||
+ *
|
|
||||||
+ * Right now we have empty content of the SELinux config file,
|
|
||||||
+ * we shall add only those SELinux users that are present both in
|
|
||||||
+ * the order array and user maps applicable to the user who is
|
|
||||||
+ * logging in.
|
|
||||||
+ */
|
|
||||||
+ for (i = 0; i < order_count; i++) {
|
|
||||||
+ for (j = 0; usermaps[j] != NULL; j++) {
|
|
||||||
+ tmp_str = sss_selinux_map_get_seuser(usermaps[j]);
|
|
||||||
|
|
||||||
- if (tmp_str && !strcasecmp(tmp_str, order_array[i])) {
|
|
||||||
- /* If file_content contained something, overwrite it.
|
|
||||||
- * This record has higher priority.
|
|
||||||
- */
|
|
||||||
- talloc_zfree(file_content);
|
|
||||||
- file_content = talloc_strdup(tmp_ctx, tmp_str);
|
|
||||||
- if (file_content == NULL) {
|
|
||||||
- ret = ENOMEM;
|
|
||||||
- goto done;
|
|
||||||
- }
|
|
||||||
- break;
|
|
||||||
+ if (tmp_str && !strcasecmp(tmp_str, order_array[i])) {
|
|
||||||
+ /* If file_content contained something, overwrite it.
|
|
||||||
+ * This record has higher priority.
|
|
||||||
+ */
|
|
||||||
+ talloc_zfree(file_content);
|
|
||||||
+ file_content = talloc_strdup(tmp_ctx, tmp_str);
|
|
||||||
+ if (file_content == NULL) {
|
|
||||||
+ ret = ENOMEM;
|
|
||||||
+ goto done;
|
|
||||||
}
|
|
||||||
+ break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (file_content) {
|
|
||||||
- ret = write_selinux_string(pd->user, file_content);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
+ ret = write_selinux_login_file(pd->user, file_content);
|
|
||||||
done:
|
|
||||||
+ if (!file_content) {
|
|
||||||
+ err = remove_selinux_login_file(pd->user);
|
|
||||||
+ /* Don't overwrite original error condition if there was one */
|
|
||||||
+ if (ret == EOK) ret = err;
|
|
||||||
+ }
|
|
||||||
talloc_free(tmp_ctx);
|
|
||||||
return ret;
|
|
||||||
}
|
|
||||||
@@ -802,7 +834,7 @@ static void pam_reply(struct pam_auth_req *preq)
|
|
||||||
pd->pam_status == PAM_SUCCESS) {
|
|
||||||
/* Try to fetch data from sysdb
|
|
||||||
* (auth already passed -> we should have them) */
|
|
||||||
- ret = get_selinux_string(preq);
|
|
||||||
+ ret = process_selinux_mappings(preq);
|
|
||||||
if (ret != EOK) {
|
|
||||||
pd->pam_status = PAM_SYSTEM_ERR;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
1.7.11.2
|
|
||||||
|
|
2
sources
2
sources
@ -1 +1 @@
|
|||||||
6ac3b4a29f5f8f154133583ed4644aab sssd-1.9.0beta7.tar.gz
|
24c40663bad101c58335618b2abb064f sssd-1.9.0rc1.tar.gz
|
||||||
|
12
sssd.spec
12
sssd.spec
@ -16,12 +16,12 @@
|
|||||||
|
|
||||||
Name: sssd
|
Name: sssd
|
||||||
Version: 1.9.0
|
Version: 1.9.0
|
||||||
Release: 21%{?dist}.beta7
|
Release: 22%{?dist}.rc1
|
||||||
Group: Applications/System
|
Group: Applications/System
|
||||||
Summary: System Security Services Daemon
|
Summary: System Security Services Daemon
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
URL: http://fedorahosted.org/sssd/
|
URL: http://fedorahosted.org/sssd/
|
||||||
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}beta7.tar.gz
|
Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}rc1.tar.gz
|
||||||
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
|
||||||
|
|
||||||
### Patches ###
|
### Patches ###
|
||||||
@ -209,7 +209,7 @@ UpdateTimestamps() {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
%setup -q -n %{name}-1.8.97
|
%setup -q -n %{name}-1.8.98
|
||||||
|
|
||||||
for p in %patches ; do
|
for p in %patches ; do
|
||||||
%__patch -p1 -i $p
|
%__patch -p1 -i $p
|
||||||
@ -237,9 +237,6 @@ autoreconf -ivf
|
|||||||
make %{?_smp_mflags} all docs
|
make %{?_smp_mflags} all docs
|
||||||
|
|
||||||
%check
|
%check
|
||||||
# 'patch' doesn't create the new tests with the executable flag
|
|
||||||
chmod +x src/tests/pyhbac-test.py
|
|
||||||
|
|
||||||
export CK_TIMEOUT_MULTIPLIER=10
|
export CK_TIMEOUT_MULTIPLIER=10
|
||||||
make %{?_smp_mflags} check
|
make %{?_smp_mflags} check
|
||||||
unset CK_TIMEOUT_MULTIPLIER
|
unset CK_TIMEOUT_MULTIPLIER
|
||||||
@ -516,6 +513,9 @@ fi
|
|||||||
%postun -n libsss_sudo -p /sbin/ldconfig
|
%postun -n libsss_sudo -p /sbin/ldconfig
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Sep 14 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-22.rc1
|
||||||
|
- New upstream release 1.9.0 rc1
|
||||||
|
|
||||||
* Thu Sep 06 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-21.beta7
|
* Thu Sep 06 2012 Jakub Hrozek <jhrozek@redhat.com> - 1.9.0-21.beta7
|
||||||
- New upstream release 1.9.0 beta7
|
- New upstream release 1.9.0 beta7
|
||||||
- obsoletes patches #1-#3
|
- obsoletes patches #1-#3
|
||||||
|
Loading…
Reference in New Issue
Block a user