Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=846792 (Fedora)
Description of problem: A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context. Version-Release number of selected component (if applicable): sssd-1.9.0-14.fc18.beta6 How reproducible: Every time Steps to Reproduce: 1. Set up a FreeIPA server 2. Enroll a client with ipa-client-install 3. Configure FreeIPA with HBAC rules denying access to a user 3. Configure the FreeIPA server to provide an SELinux user context rule for the same user 4. Configure SSSD with session_provider = ipa 5. Log in as the above user Actual results: User is granted access and has the assigned SELinux user context. Expected results: User should be denied by the HBAC rules. Additional info: Upstream has a patch ready for this issue.
Fields changed
blockedby: => blocking: => coverity: => feature_milestone: => milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1 tests: => 0 testsupdated: => 0 upgrade: => 0
master: ffcf27b
owner: somebody => jhrozek
resolution: => fixed status: new => closed
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.9.0 beta 7
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2512
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.