#1395 SELinux rule matching ignores specificity requirement
Closed: Fixed None Opened 7 years ago by sgallagh.

From the sssd-devel list

Maps are still not working properly.

It now always selects the highest priority that a user is associated 
with. This is incorrect. It needs to go through an HBAC-style evaluation 
where the specificity of the user (vs usercat=all) and the host are 
taken into consideration.

So for example these three rules:

   Rule name: test_all
   SELinux User: unconfined_u:s0-s0:c0.c1023
   User category: all
   Host category: all
   Enabled: TRUE

   Rule name: test_tuser1_pinto
   SELinux User: staff_u:s0-s0:c0.c1023
   Enabled: TRUE
   Users: tuser1
   Hosts: pinto.greyoak.com

   Rule name: test_user
   SELinux User: user_u:s0-s0:c0.c1023
   Host category: all
   Enabled: TRUE
   Users: tuser1

If I log into pinto as tuser1 I get assigned unconfined_u. It should be 
staff_u because that rule is more specific than test_all. The only time 
the context ordering should be considered is when there are two rules 
that match with the same specificity.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 5
rhbz: => 0

Jan's fix for #1360 would fix this issue as well. Moving to beta 5.

milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 5
patch: 0 => 1


resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 5

2 years ago

Login to comment on this ticket.