Ticket https://fedorahosted.org/freeipa/ticket/755 defines a method for mapping IPA users to SELinux contexts. A user may map to a different context on different machines, and via groups and hostgroups may have several possible selinux contexts on a given machine (one one is assigned, based on priority and specificity of the rules).
A test module is needed to be able to determine in advance what context would be given a user and host.
Might be deferred
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=782973
Moving to next month iteration.
I plan to make this similar to HBAC testing but each rule won't evaluate to a True/False, it will evaluate to a score. We take all the highest scores and from those rules pick the highest context.
The evaluation is host > hostgroup > hostcat = all, user > group < usercat = all.
I think I'll assign a number value to each matching option and sum them up so I can compare one rule to another.
I haven't considered how output will be handled yet. The HBAC test has optional details which shows how the rules evaluate. I can probably print the score and the context is for each rule and then a final value.
Was trying to compare my implementation to sssd and discovered the user mapping isn't working.
The /etc/selinux/targeted/logins directory wasn't created/owned by selinux-policy. I filed this against F-17: https://bugzilla.redhat.com/show_bug.cgi?id=824999
SSSD isn't creating the map file correctly, it is missing the service. Filed ticket https://fedorahosted.org/sssd/ticket/1360
Have a working sssd build in sssd-1.8.93-0.20120618T1837Zgitbb79e75.fc17
It works only when a single map matches. Otherwise the formatting is still wrong, and in fact it writes out multiple contexts.
Putting into needs triage. It should belong to 3.3 Backlog.
Metadata Update from @rcritten: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
Log in to comment on this ticket.