Learn more about these different git repos.
Other Git URLs
It turns out that the current way of writing the SELinux login file during the account phase wouldn't work well for IPA clients. The reason is that the login file must be in place before "pam_selinux.so open" is called in the session stack. That happens before any of the processes are executed on behalf of the user, that's before the service config file include password-auth or system-auth.
We could in theory change authconfig to include pam_sss.so before pam_selinux.so open in the session stack, but that would require changing quite a few config files.
Because we need the login file to be present even before pam_sss's session management start, we should move it to the account phase.
I consulted this issue with maintainer of PAM and AuthConfig in Fedora. Long story short, writing the SELinux file in account stack is the only option we have.
However this can bring some difficulties, the SELinux provider can't be a part of access provider, as user might want to use different access provider than SELinux provider.
I propose following solution: we will add new type of PAM command to PAM responder: PAM_CMD_SELINUX. PAM responder will detect when PAM_ACCT_MGMT is completed by provider and after that it will create the new request and send it to the backend. Only after that it will return control to the PAM module. I already have a proof-of-concept patch, I will send it to the list momentarily.
patch: 0 => 1
status: new => assigned
milestone: NEEDS_TRIAGE => SSSD 1.9.0 beta 6
Fixed in master:
resolution: => fixed
status: assigned => closed
rhbz: => 0
Metadata Update from @jhrozek:
- Issue assigned to jzeleny
- Issue set to the milestone: SSSD 1.9.0 beta 6
to comment on this ticket.