Learn more about these different git repos.
Other Git URLs
ipa_get_selinux_maps_done() has a FIXME in it that we should address. Currently, we always refresh the complete set of HBAC rules whenever we process SELinux rules. However, in the vast majority of cases, we have already done this in the pam_acct_mgmt stack already. This is a wasted trip to LDAP. The only case where we don't is if pam_sss.so has been removed from the 'account' stack.
What we should do is check whether there are any non-expired HBAC rules currently in the cache. If there are, skip the HBAC update during the SELinux session phase.
Does sssd know if it is in the account stack or not? Can this be detected in advance and checked in this case?
Sorry, maybe I was unclear above. My point was that if any HBAC rules exist in the cache, it means two things:
1) SSSD exists in the PAM_ACCT_MGMT stack
2) This domain has access_provide = ipa
So from my perspective, this is enough information to avoid an HBAC lookup in the session stack (adding the caveat that checking for expiration time would help us in the rare situation where they turned off the HBAC lookup at some point).
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
priority: critical => major
rhbz: => 0
milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 7
owner: somebody => jzeleny
status: new => assigned
patch: 0 => 1
resolution: => fixed
status: assigned => closed
milestone: SSSD 1.9.0 beta 7 => SSSD 1.9.0 beta 6
Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6
to comment on this ticket.