#1395 SELinux rule matching ignores specificity requirement
Closed: Fixed None Opened 8 years ago by sgallagh.

From the sssd-devel list

Maps are still not working properly.

It now always selects the highest priority that a user is associated 
with. This is incorrect. It needs to go through an HBAC-style evaluation 
where the specificity of the user (vs usercat=all) and the host are 
taken into consideration.

So for example these three rules:

   Rule name: test_all
   SELinux User: unconfined_u:s0-s0:c0.c1023
   User category: all
   Host category: all
   Enabled: TRUE

   Rule name: test_tuser1_pinto
   SELinux User: staff_u:s0-s0:c0.c1023
   Enabled: TRUE
   Users: tuser1
   Hosts: pinto.greyoak.com

   Rule name: test_user
   SELinux User: user_u:s0-s0:c0.c1023
   Host category: all
   Enabled: TRUE
   Users: tuser1

If I log into pinto as tuser1 I get assigned unconfined_u. It should be 
staff_u because that rule is more specific than test_all. The only time 
the context ordering should be considered is when there are two rules 
that match with the same specificity.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5
rhbz: => 0

Jan's fix for #1360 would fix this issue as well. Moving to beta 5.

milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 5
patch: 0 => 1

master:

resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 5

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2437

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata