#1470 FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
Closed: Fixed None Opened 11 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=846792 (Fedora)

Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule
processing to be ignored in the event that the access-provider is also handling
the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the
same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user

Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1
tests: => 0
testsupdated: => 0
upgrade: => 0

master: ffcf27b

owner: somebody => jhrozek

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 7

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2512

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata