Dne pátek 22 června 2012 09:41:37, Rob Crittenden napsal(a):
> Jan Zelený wrote:
> > Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a):
> >> Jan Zelený wrote:
> >>> This patch modifies behavior of SSSD when putting together content of
> >>> user config file for pam_selinux. SSSD will now pick only the first
user
> >>> map in the priority list which matches to the user logging in. Other
> >>> maps
> >>> are ignored.
> >>>
> >>>
https://fedorahosted.org/sssd/ticket/1360
> >>>
> >>> Rob, please confirm that this is the right and expected behavior.
> >>>
> >>> Thanks
> >>> Jan
> >>
> >> What you have described sounds right. I don't have enough context in
> >> sssd to know whether this patch will achieve that.
> >
> > I realize that. I just wanted to verify that the described behavior is
> > correct. The patch itself will be reviewed by someone else from SSSD team.
> >
> > Thank you for the confirmation
>
> We had a discussion in IRC and it seems that the using of the usermap
> order is incorrect. The list is ordered from least to most permissive
> (xguest ... unconfined).
>
> We want to assign the most permissive context available. So if several
> rules evaluate the same except for context we need to refer to the
> ordered list and pick the most permissive one.
Following patch selects the right record with respect to ascending order of
permission levels.