Ticket #1470 (closed defect: fixed)

Opened 3 years ago

Last modified 3 years ago

FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context

Reported by: jhrozek Owned by: jhrozek
Priority: major Milestone: SSSD 1.9.0 beta 7
Component: SSSD Version:
Keywords: Cc:
Blocked By: Blocking:
Sensitive: Tests Updated: no
Coverity Bug: Patch Submitted: no
Red Hat Bugzilla: 846792 Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:
Temp mark:

Description

https://bugzilla.redhat.com/show_bug.cgi?id=846792 (Fedora)

Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule
processing to be ignored in the event that the access-provider is also handling
the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the
same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user

Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.

Change History

comment:1 Changed 3 years ago by dpal

  • Tests Updated unset
  • upgrade set to 0
  • tests set to 0
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0 RC1

comment:2 Changed 3 years ago by jhrozek

  • Owner changed from somebody to jhrozek

comment:3 Changed 3 years ago by jhrozek

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.