Bug 846792 - (CVE-2012-3462) FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinu...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: sssd (Show other bugs)
rawhide
All Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Stephen Gallagher
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-08 14:05 EDT by Stephen Gallagher
Modified: 2012-09-06 07:22 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-06 07:22:32 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stephen Gallagher 2012-08-08 14:05:05 EDT
Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user
  
Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.
Comment 1 Jakub Hrozek 2012-08-09 05:43:15 EDT
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1470
Comment 2 Jakub Hrozek 2012-09-06 07:22:32 EDT
This bug has been closed in F18 and rawhide.

Note You need to log in before you can comment on or make changes to this bug.