Bug 846792 (CVE-2012-3462)

Summary: FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
Product: [Fedora] Fedora Reporter: Stephen Gallagher <sgallagh>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-06 11:22:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Gallagher 2012-08-08 18:05:05 UTC 
Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user
  
Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.
Comment 1 Jakub Hrozek 2012-08-09 09:43:15 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1470
Comment 2 Jakub Hrozek 2012-09-06 11:22:32 UTC 
This bug has been closed in F18 and rawhide.