Issue #1427: Don't refersh HBAC rules when looking up SELinux rules - sssd

SSSD / sssd

#1427 Don't refersh HBAC rules when looking up SELinux rules

Closed: Fixed None Opened 11 years ago by sgallagh.

ipa_get_selinux_maps_done() has a FIXME in it that we should address. Currently, we always refresh the complete set of HBAC rules whenever we process SELinux rules. However, in the vast majority of cases, we have already done this in the pam_acct_mgmt stack already. This is a wasted trip to LDAP. The only case where we don't is if pam_sss.so has been removed from the 'account' stack.

What we should do is check whether there are any non-expired HBAC rules currently in the cache. If there are, skip the HBAC update during the SELinux session phase.

dpal commented 11 years ago

Does sssd know if it is in the account stack or not? Can this be detected in advance and checked in this case?

sgallagh commented 11 years ago

Sorry, maybe I was unclear above. My point was that if any HBAC rules exist in the cache, it means two things:
1) SSSD exists in the PAM_ACCT_MGMT stack
2) This domain has access_provide = ipa

So from my perspective, this is enough information to avoid an HBAC lookup in the session stack (adding the caveat that checking for expiration time would help us in the rare situation where they turned off the HBAC lookup at some point).

dpal commented 11 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
priority: critical => major
rhbz: => 0

jhrozek commented 11 years ago

Fields changed

milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 7

jzeleny commented 11 years ago

Fields changed

owner: somebody => jzeleny
status: new => assigned

jhrozek commented 11 years ago

master:
- 1390b5d
- 95d170a
- 679a0ab

patch: 0 => 1
resolution: => fixed
status: assigned => closed

jhrozek commented 11 years ago

Fields changed

milestone: SSSD 1.9.0 beta 7 => SSSD 1.9.0 beta 6

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2469

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

jzeleny

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.9.0 beta 6

type

defect

component

SELinux

version

master

selected

None

testsupdated

patch

rhbz

design_review

None

review

None

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#1427 Don't refersh HBAC rules when looking up SELinux rules Closed: Fixed None Opened 11 years ago by sgallagh.

Metadata

#1427 Don't refersh HBAC rules when looking up SELinux rules

Closed: Fixed None Opened 11 years ago by sgallagh.