#1435 SELinux specifity does not work with HBAC rules
Closed: Fixed None Opened 9 years ago by jhrozek.

Evaluating the rules to find the most specific one, should work the same way with HBAC rules and without them. The code currently in git head (1.9.0 beta5) ignores specificity for rules linked with HBAC rules.

Here is my setup:

# ipa selinuxusermap-find
2 SELinux User Maps matched
  Rule name: hbac_test
  SELinux User: xguest_u:s0
  HBAC Rule: allow_all
  Enabled: TRUE

  Rule name: test_user1_specific_host_hbac
  SELinux User: user_u:s0-s0:c0.c1023
  HBAC Rule: test_user1_specific_host
  Enabled: TRUE
Number of entries returned 2

# ipa hbacrule-find 
2 HBAC rules matched
  Rule name: allow_all
  User category: all
  Host category: all
  Source host category: all
  Service category: all
  Description: Allow all users to access any host from any host
  Enabled: TRUE

  Rule name: test_user1_specific_host
  Enabled: TRUE
  Users: tuser1
  Hosts: ipaclient.example.com

I was logging as tuser1 to ipaclient.example.com. The correct context would have been user_u, however I always end up with xguest.

The specificity needs to work the same with or without HBAC rules, it's just a different source of information like host or user.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
owner: somebody => jzeleny

Fields changed

patch: 0 => 1

Fields changed

status: new => assigned

- 33ecf38
- 1187b00

resolution: => fixed
status: assigned => closed

Fields changed

rhbz: => 0

Metadata Update from @jhrozek:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2477

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.