You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1072067
+++ This bug was initially created as a clone of Bug #1071578 +++
Description of problem:
FreeIPA allows the user to create a set of SELinux user maps. These are not
cached properly, and as a result for a user with a domain joined system such as
a laptop, when the system is started without access to the domain network, your
SELinux permissions are reduced causing a lack in system functionality until
you rejoin the domain network and login / out.
Version-Release number of selected component (if applicable):
1.11.4-1
How reproducible:
Always
Steps to Reproduce:
1. Join a laptop to a freeipa domain.
2. In freeipa, create a default selinux user map with a low label, ie
user_u:user_r:user_t:s0. Then for the laptop system create a hbac rule for the
user, and the laptop. Then create an selinux map for that hbac rule such as
staff_u:staff_r:staff_t:s0:c0.c1023. Ensure that when you login to the laptop
on the network, you get the staff role.
3. Disconnect all network devices on the laptop, reboot and login.
Actual results:
id -Z is user_u:user_r:user_t:s0
Expected results:
Since a login has already occured the label of
staff_u:staff_r:staff_t:s0:c0.c1023 should be cached, and given to the user.
Additional info:
Given the nature of this bug, where a user may end up mislabelled, either in a
higher or lower context depending on the setup of the freeipa selinux defaults,
this may pose a security risk.
--- Additional comment from Jakub Hrozek on 2014-03-03 11:29:14 EST ---
Thank you for the bug report. I reproduced your problem and I'm working on a
fix.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2264
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1072067
Comments
Comment from jhrozek at 2014-03-04 16:56:13
Fields changed
blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.11.5
owner: somebody => jhrozek
patch: 0 => 1
priority: major => critical
review: True => 0
selected: =>
status: new => assigned
testsupdated: => 0
Comment from jhrozek at 2014-03-05 13:20:24
resolution: => fixed
status: assigned => closed
Comment from jhrozek at 2017-02-24 14:47:18
Metadata Update from @jhrozek:
The text was updated successfully, but these errors were encountered: