Ticket #1470 (closed defect: fixed)
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
|Reported by:||jhrozek||Owned by:||jhrozek|
|Priority:||major||Milestone:||SSSD 1.9.0 beta 7|
|Coverity Bug:||Patch Submitted:||no|
|Red Hat Bugzilla:||846792||Design link:|
|Design review:||Fedora test page:|
|Chosen:||Candidate to push out:|
Description of problem: A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context. Version-Release number of selected component (if applicable): sssd-1.9.0-14.fc18.beta6 How reproducible: Every time Steps to Reproduce: 1. Set up a FreeIPA server 2. Enroll a client with ipa-client-install 3. Configure FreeIPA with HBAC rules denying access to a user 3. Configure the FreeIPA server to provide an SELinux user context rule for the same user 4. Configure SSSD with session_provider = ipa 5. Log in as the above user Actual results: User is granted access and has the assigned SELinux user context. Expected results: User should be denied by the HBAC rules. Additional info: Upstream has a patch ready for this issue.
- tests set to 0
- Milestone changed from NEEDS_TRIAGE to SSSD 1.9.0 RC1
- Tests Updated unset
- upgrade set to 0
Note: See TracTickets for help on using tickets.