#1470 FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context

Created 4 years ago by jhrozek
Modified 3 months ago

https://bugzilla.redhat.com/show_bug.cgi?id=846792 (Fedora)

Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule
processing to be ignored in the event that the access-provider is also handling
the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the
same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user

Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.0 RC1
tests: => 0
testsupdated: => 0
upgrade: => 0

master: ffcf27b0b773b580289d596f796aaf86c45ba920

owner: somebody => jhrozek

Fields changed

resolution: => fixed
status: new => closed

3 months ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.9.0 beta 7

Login to comment on this ticket.

defect

SSSD

0

0

https://bugzilla.redhat.com/show_bug.cgi?id=846792

cancel