#1455 SELinux code must fall back to default only if there are no rules on the server
Closed: Fixed None Opened 6 years ago by jhrozek.

The SELinux evaluator in the PAM responder uses the default SELinux user from the IPA server when no rules match, even when there are in fact no rules on the server.

This is wrong, because all users in the default IPA configuration would get the very restricted guest_u context. guest_u is not able, for instance, to run any setuid programs.

In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers.

The IPA default must be only used if there are rules on the server, but none matches.


Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1
rhbz: => 0

master: f004e23

proposed_priority: => Undefined
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 7

2 years ago

Login to comment on this ticket.

Metadata