#1427 Don't refersh HBAC rules when looking up SELinux rules
Closed: Fixed None Opened 7 years ago by sgallagh.

ipa_get_selinux_maps_done() has a FIXME in it that we should address. Currently, we always refresh the complete set of HBAC rules whenever we process SELinux rules. However, in the vast majority of cases, we have already done this in the pam_acct_mgmt stack already. This is a wasted trip to LDAP. The only case where we don't is if pam_sss.so has been removed from the 'account' stack.

What we should do is check whether there are any non-expired HBAC rules currently in the cache. If there are, skip the HBAC update during the SELinux session phase.


Does sssd know if it is in the account stack or not? Can this be detected in advance and checked in this case?

Sorry, maybe I was unclear above. My point was that if any HBAC rules exist in the cache, it means two things:
1) SSSD exists in the PAM_ACCT_MGMT stack
2) This domain has access_provide = ipa

So from my perspective, this is enough information to avoid an HBAC lookup in the session stack (adding the caveat that checking for expiration time would help us in the rare situation where they turned off the HBAC lookup at some point).

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
priority: critical => major
rhbz: => 0

Fields changed

milestone: SSSD 1.9.0 beta 6 => SSSD 1.9.0 beta 7

Fields changed

owner: somebody => jzeleny
status: new => assigned

master:
- 1390b5d
- 95d170a
- 679a0ab

patch: 0 => 1
resolution: => fixed
status: assigned => closed

Fields changed

milestone: SSSD 1.9.0 beta 7 => SSSD 1.9.0 beta 6

Metadata Update from @sgallagh:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6

2 years ago

Login to comment on this ticket.

Metadata