Description of problem: A flaw in the SSSD's access-provider logic causes the result of the HBAC rule processing to be ignored in the event that the access-provider is also handling the setup of the user's SELinux user context. Version-Release number of selected component (if applicable): sssd-1.9.0-14.fc18.beta6 How reproducible: Every time Steps to Reproduce: 1. Set up a FreeIPA server 2. Enroll a client with ipa-client-install 3. Configure FreeIPA with HBAC rules denying access to a user 3. Configure the FreeIPA server to provide an SELinux user context rule for the same user 4. Configure SSSD with session_provider = ipa 5. Log in as the above user Actual results: User is granted access and has the assigned SELinux user context. Expected results: User should be denied by the HBAC rules. Additional info: Upstream has a patch ready for this issue.
Upstream ticket: https://fedorahosted.org/sssd/ticket/1470
This bug has been closed in F18 and rawhide.