Red Hat Bugzilla – Bug 846792
FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
Last modified: 2012-09-06 07:22:32 EDT
Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user
User is granted access and has the assigned SELinux user context.
User should be denied by the HBAC rules.
Upstream has a patch ready for this issue.
This bug has been closed in F18 and rawhide.