Learn more about these different git repos.
Other Git URLs
Evaluating the rules to find the most specific one, should work the same way with HBAC rules and without them. The code currently in git head (1.9.0 beta5) ignores specificity for rules linked with HBAC rules.
Here is my setup:
# ipa selinuxusermap-find --------------------------- 2 SELinux User Maps matched --------------------------- Rule name: hbac_test SELinux User: xguest_u:s0 HBAC Rule: allow_all Enabled: TRUE Rule name: test_user1_specific_host_hbac SELinux User: user_u:s0-s0:c0.c1023 HBAC Rule: test_user1_specific_host Enabled: TRUE ---------------------------- Number of entries returned 2 ---------------------------- # ipa hbacrule-find -------------------- 2 HBAC rules matched -------------------- Rule name: allow_all User category: all Host category: all Source host category: all Service category: all Description: Allow all users to access any host from any host Enabled: TRUE Rule name: test_user1_specific_host Enabled: TRUE Users: tuser1 Hosts: ipaclient.example.com
I was logging as tuser1 to ipaclient.example.com. The correct context would have been user_u, however I always end up with xguest.
user_u
xguest
The specificity needs to work the same with or without HBAC rules, it's just a different source of information like host or user.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6 owner: somebody => jzeleny
patch: 0 => 1
status: new => assigned
master: - 33ecf38 - 1187b00
resolution: => fixed status: assigned => closed
rhbz: => 0
Metadata Update from @jhrozek: - Issue assigned to jzeleny - Issue set to the milestone: SSSD 1.9.0 beta 6
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2477
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.