#1360 format of file for pam_selinux is incorrect
Closed: Fixed None Opened 7 years ago by rcritten.

Dan looked into the user mapping and here is one thing he found:

[16:55]    dwalsh    Ok the code expects SERVICE:USER:LEVEL
[16:56]    dwalsh    *:user_u:s0-s0:c0.c1023
[16:56]    dwalsh    Would be the correct format

The file that sssd wrote out was missing the service part and just had the user/level portions.

I think using * now for all services is fine. The IPA SELinux user maps do not have the concept of services so by implication it applies to all.


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0

Fields changed

rhbz: => 0

Fields changed

owner: somebody => jzeleny
status: new => assigned

Fields changed

patch: 0 => 1

This build works with a single user map: sssd-1.8.93-0.20120618T1837Zgitbb79e75.fc17

Multiple maps still ends up with a mal-formatted logins file:

*:user_u:s0-s0:c0.c1023
staff_u:s0-s0:c0.c1023
unconfined_u:s0-s0:c0.c1023

It should probably just write out a single entry which represents the best match for that user based on the selinux user map rules since this is going to match all services.

Yes, the algorithm is in fact supposed to write out just one user map. Could you please describe how to reproduce this issue, i.e. how to get multiple maps in the file? Thanks

I just created three rules that woudl match the use I'm logging in as. I wanted to test that the correct rule would be applied:

  Rule name: test_all
  SELinux User: unconfined_u:s0-s0:c0.c1023
  User category: all
  Host category: all
  Enabled: TRUE

  Rule name: test_tuser1_pinto
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: tuser1
  Hosts: pinto.example.com

  Rule name: test_user
  SELinux User: user_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  Users: tuser1, tuser2
----------------------------
Number of entries returned 3
----------------------------

So in this case when logging into pinto as tuser1 the context should be staff_u:s0-s0:c0.c1023 (most specific user and host).

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 beta 4

Jan is on vacation. Picking up.

owner: jzeleny => jhrozek
status: assigned => new

Fields changed

component: SSSD => SELinux
milestone: SSSD 1.9.0 beta 4 => SSSD 1.9.0 beta 5

Jan sent the patch after all.

owner: jhrozek => jzeleny

Fields changed

resolution: => fixed
status: new => closed

Metadata Update from @rcritten:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 5

2 years ago

Login to comment on this ticket.

Metadata