Bug 846792 (CVE-2012-3462) - FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinux user context
Summary: FreeIPA HBAC rules ignored when FreeIPA and SSSD are configured to set SELinu...
Keywords:
Status: CLOSED RAWHIDE
Alias: CVE-2012-3462
Product: Fedora
Classification: Fedora
Component: sssd
Version: rawhide
Hardware: All
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Stephen Gallagher
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-08 18:05 UTC by Stephen Gallagher
Modified: 2020-05-02 16:57 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-06 11:22:32 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 2512 None None None 2020-05-02 16:57:08 UTC

Description Stephen Gallagher 2012-08-08 18:05:05 UTC
Description of problem:
A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context.

Version-Release number of selected component (if applicable):
sssd-1.9.0-14.fc18.beta6

How reproducible:
Every time

Steps to Reproduce:
1. Set up a FreeIPA server
2. Enroll a client with ipa-client-install
3. Configure FreeIPA with HBAC rules denying access to a user
3. Configure the FreeIPA server to provide an SELinux user context rule for the same user
4. Configure SSSD with session_provider = ipa
5. Log in as the above user
  
Actual results:
User is granted access and has the assigned SELinux user context.

Expected results:
User should be denied by the HBAC rules.

Additional info:
Upstream has a patch ready for this issue.

Comment 1 Jakub Hrozek 2012-08-09 09:43:15 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1470

Comment 2 Jakub Hrozek 2012-09-06 11:22:32 UTC
This bug has been closed in F18 and rawhide.


Note You need to log in before you can comment on or make changes to this bug.