Learn more about these different git repos.
Other Git URLs
Dan looked into the user mapping and here is one thing he found:
[16:55] dwalsh Ok the code expects SERVICE:USER:LEVEL [16:56] dwalsh *:user_u:s0-s0:c0.c1023 [16:56] dwalsh Would be the correct format
The file that sssd wrote out was missing the service part and just had the user/level portions.
I think using * now for all services is fine. The IPA SELinux user maps do not have the concept of services so by implication it applies to all.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.0
rhbz: => 0
owner: somebody => jzeleny status: new => assigned
patch: 0 => 1
This build works with a single user map: sssd-1.8.93-0.20120618T1837Zgitbb79e75.fc17
Multiple maps still ends up with a mal-formatted logins file:
*:user_u:s0-s0:c0.c1023 staff_u:s0-s0:c0.c1023 unconfined_u:s0-s0:c0.c1023
It should probably just write out a single entry which represents the best match for that user based on the selinux user map rules since this is going to match all services.
Yes, the algorithm is in fact supposed to write out just one user map. Could you please describe how to reproduce this issue, i.e. how to get multiple maps in the file? Thanks
I just created three rules that woudl match the use I'm logging in as. I wanted to test that the correct rule would be applied:
Rule name: test_all SELinux User: unconfined_u:s0-s0:c0.c1023 User category: all Host category: all Enabled: TRUE Rule name: test_tuser1_pinto SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: tuser1 Hosts: pinto.example.com Rule name: test_user SELinux User: user_u:s0-s0:c0.c1023 Host category: all Enabled: TRUE Users: tuser1, tuser2 ---------------------------- Number of entries returned 3 ----------------------------
So in this case when logging into pinto as tuser1 the context should be staff_u:s0-s0:c0.c1023 (most specific user and host).
milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 4
Jan is on vacation. Picking up.
owner: jzeleny => jhrozek status: assigned => new
component: SSSD => SELinux milestone: SSSD 1.9.0 beta 4 => SSSD 1.9.0 beta 5
Jan sent the patch after all.
owner: jhrozek => jzeleny
master:
resolution: => fixed status: new => closed
Metadata Update from @rcritten: - Issue assigned to jzeleny - Issue set to the milestone: SSSD 1.9.0 beta 5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2402
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.