Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1071578
Description of problem: FreeIPA allows the user to create a set of SELinux user maps. These are not cached properly, and as a result for a user with a domain joined system such as a laptop, when the system is started without access to the domain network, your SELinux permissions are reduced causing a lack in system functionality until you rejoin the domain network and login / out. Version-Release number of selected component (if applicable): 1.11.4-1 How reproducible: Always Steps to Reproduce: 1. Join a laptop to a freeipa domain. 2. In freeipa, create a default selinux user map with a low label, ie user_u:user_r:user_t:s0. Then for the laptop system create a hbac rule for the user, and the laptop. Then create an selinux map for that hbac rule such as staff_u:staff_r:staff_t:s0:c0.c1023. Ensure that when you login to the laptop on the network, you get the staff role. 3. Disconnect all network devices on the laptop, reboot and login. Actual results: id -Z is user_u:user_r:user_t:s0 Expected results: Since a login has already occured the label of staff_u:staff_r:staff_t:s0:c0.c1023 should be cached, and given to the user. Additional info: Given the nature of this bug, where a user may end up mislabelled, either in a higher or lower context depending on the setup of the freeipa selinux defaults, this may pose a security risk.
This is a duplicate of #2264.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => resolution: => duplicate review: True => 0 selected: => status: new => closed testsupdated: => 0
Metadata Update from @mkosek: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3307
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.