#1455 SELinux code must fall back to default only if there are no rules on the server
Closed: Fixed None Opened 10 years ago by jhrozek.

The SELinux evaluator in the PAM responder uses the default SELinux user from the IPA server when no rules match, even when there are in fact no rules on the server.

This is wrong, because all users in the default IPA configuration would get the very restricted guest_u context. guest_u is not able, for instance, to run any setuid programs.

In case there are no rules on the IPA server, we must simply avoid generating the login file. That would make us fall back to the system-wide default defined in /etc/selinux/targeted/seusers.

The IPA default must be only used if there are rules on the server, but none matches.

Fields changed

status: new => assigned

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1
rhbz: => 0

master: f004e23

proposed_priority: => Undefined
resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 7

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2497

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.