Jan Zelený wrote:
Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a):
Jan Zelený wrote:
This patch modifies behavior of SSSD when putting together content of
user config file for pam_selinux. SSSD will now pick only the first user
map in the priority list which matches to the user logging in. Other maps
are ignored.
https://fedorahosted.org/sssd/ticket/1360
Rob, please confirm that this is the right and expected behavior.
Thanks
Jan
What you have described sounds right. I don't have enough context in
sssd to know whether this patch will achieve that.
I realize that. I just wanted to verify that the described behavior is
correct. The patch itself will be reviewed by someone else from SSSD team.
Thank you for the confirmation
We had a discussion in IRC and it seems that the using of the usermap
order is incorrect. The list is ordered from least to most permissive
(xguest ... unconfined).
We want to assign the most permissive context available. So if several
rules evaluate the same except for context we need to refer to the
ordered list and pick the most permissive one.
rob
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
