On Fri, 2012-06-22 at 16:12 +0200, Jan Zelený wrote: > Dne pátek 22 června 2012 09:41:37, Rob Crittenden napsal(a): > > Jan Zelený wrote: > > > Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a): > > >> Jan Zelený wrote: > > >>> This patch modifies behavior of SSSD when putting together content of > > >>> user config file for pam_selinux. SSSD will now pick only the first user > > >>> map in the priority list which matches to the user logging in. Other > > >>> maps > > >>> are ignored. > > >>> > > >>> https://fedorahosted.org/sssd/ticket/1360 > > >>> > > >>> Rob, please confirm that this is the right and expected behavior. > > >>> > > >>> Thanks > > >>> Jan > > >> > > >> What you have described sounds right. I don't have enough context in > > >> sssd to know whether this patch will achieve that. > > > > > > I realize that. I just wanted to verify that the described behavior is > > > correct. The patch itself will be reviewed by someone else from SSSD team. > > > > > > Thank you for the confirmation > > > > We had a discussion in IRC and it seems that the using of the usermap > > order is incorrect. The list is ordered from least to most permissive > > (xguest ... unconfined). > > > > We want to assign the most permissive context available. So if several > > rules evaluate the same except for context we need to refer to the > > ordered list and pick the most permissive one. > > Following patch selects the right record with respect to ascending order of > permission levels.
Ack
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
