#1427 Don't refersh HBAC rules when looking up SELinux rules
Closed: Fixed None Opened 9 years ago by sgallagh.

ipa_get_selinux_maps_done() has a FIXME in it that we should address. Currently, we always refresh the complete set of HBAC rules whenever we process SELinux rules. However, in the vast majority of cases, we have already done this in the pam_acct_mgmt stack already. This is a wasted trip to LDAP. The only case where we don't is if pam_sss.so has been removed from the 'account' stack.

What we should do is check whether there are any non-expired HBAC rules currently in the cache. If there are, skip the HBAC update during the SELinux session phase.

Does sssd know if it is in the account stack or not? Can this be detected in advance and checked in this case?

Sorry, maybe I was unclear above. My point was that if any HBAC rules exist in the cache, it means two things:
1) SSSD exists in the PAM_ACCT_MGMT stack
2) This domain has access_provide = ipa

So from my perspective, this is enough information to avoid an HBAC lookup in the session stack (adding the caveat that checking for expiration time would help us in the rare situation where they turned off the HBAC lookup at some point).

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
priority: critical => major
rhbz: => 0

Fields changed

milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 7

Fields changed

owner: somebody => jzeleny
status: new => assigned

- 1390b5d
- 95d170a
- 679a0ab

patch: 0 => 1
resolution: => fixed
status: assigned => closed

Fields changed

milestone: SSSD 1.9.0 beta 7 => SSSD 1.9.0 beta 6

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2469

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.