Re: [SSSD] [PATCH] SELinux user maps: pick just one map

Mon, 25 Jun 2012 14:36:06 -0700 

Stephen Gallagher wrote:

On Fri, 2012-06-22 at 15:49 -0400, Stephen Gallagher wrote:

On Fri, 2012-06-22 at 16:12 +0200, Jan Zelený wrote:

Dne pátek 22 června 2012 09:41:37, Rob Crittenden napsal(a):

Jan Zelený wrote:

Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a):

Jan Zelený wrote:

This patch modifies behavior of SSSD when putting together content of
user config file for pam_selinux. SSSD will now pick only the first user
map in the priority list which matches to the user logging in. Other
maps
are ignored.

https://fedorahosted.org/sssd/ticket/1360

Rob, please confirm that this is the right and expected behavior.

Thanks
Jan


What you have described sounds right. I don't have enough context in
sssd to know whether this patch will achieve that.


I realize that. I just wanted to verify that the described behavior is
correct. The patch itself will be reviewed by someone else from SSSD team.

Thank you for the confirmation


We had a discussion in IRC and it seems that the using of the usermap
order is incorrect. The list is ordered from least to most permissive
(xguest ... unconfined).

We want to assign the most permissive context available. So if several
rules evaluate the same except for context we need to refer to the
ordered list and pick the most permissive one.


Following patch selects the right record with respect to ascending order of
permission levels.



Ack


Pushed to master.


Maps are still not working properly.
It now always selects the highest priority that a user is associated with. This is incorrect. It needs to go through an HBAC-style evaluation where the specificity of the user (vs usercat=all) and the host are taken into consideration. 

So for example these three rules:

  Rule name: test_all
  SELinux User: unconfined_u:s0-s0:c0.c1023
  User category: all
  Host category: all
  Enabled: TRUE

  Rule name: test_tuser1_pinto
  SELinux User: staff_u:s0-s0:c0.c1023
  Enabled: TRUE
  Users: tuser1
  Hosts: pinto.greyoak.com

  Rule name: test_user
  SELinux User: user_u:s0-s0:c0.c1023
  Host category: all
  Enabled: TRUE
  Users: tuser1
If I log into pinto as tuser1 I get assigned unconfined_u. It should be staff_u because that rule is more specific than test_all. The only time the context ordering should be considered is when there are two rules that match with the same specificity. 

rob
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to