Learn more about these different git repos.
Other Git URLs
From the sssd-devel list
Maps are still not working properly. It now always selects the highest priority that a user is associated with. This is incorrect. It needs to go through an HBAC-style evaluation where the specificity of the user (vs usercat=all) and the host are taken into consideration. So for example these three rules: Rule name: test_all SELinux User: unconfined_u:s0-s0:c0.c1023 User category: all Host category: all Enabled: TRUE Rule name: test_tuser1_pinto SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: tuser1 Hosts: pinto.greyoak.com Rule name: test_user SELinux User: user_u:s0-s0:c0.c1023 Host category: all Enabled: TRUE Users: tuser1 If I log into pinto as tuser1 I get assigned unconfined_u. It should be staff_u because that rule is more specific than test_all. The only time the context ordering should be considered is when there are two rules that match with the same specificity.
http://freeipa.org/page/SELinux_user_mapping#Evaluation
version: 1.9.0 beta 1 => 1.9.0 beta 3
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5 rhbz: => 0
Jan's fix for #1360 would fix this issue as well. Moving to beta 5.
milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 5 patch: 0 => 1
master:
resolution: => fixed status: new => closed
Metadata Update from @sgallagh: - Issue assigned to jzeleny - Issue set to the milestone: SSSD 1.9.0 beta 5
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2437
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.