The IPA session code used to download all enabled SELinux rules, but then filter out those that match to the current user and save only those. This meant that if a rule was deleted or disabled on the server, it remained in the cache and was still evaluated.
The attached patch changes that behaviour to save all downloaded rules -- if this proves to be slow, we can optimize, for instance in a similar way HBAC rules are optimized, by falling back to sysdb rules if several requests arrive within a specified interval. However, we don't use member/memberof links when saving the SELinux mappings, so the sysdb write should be reasonably fast.
[PATCH 1/3] IPA: Download defaults even if there are no SELinux mappings We should always download the defaults because even if there are no rules, we might want to use (or update) the defaults. Previously, the defaults were only downloaded when there were some rules on the server.
[PATCH 2/3] SYSDB: Delete SELinux mappings A sysdb function that can be used to delete SELinux mappings from the sysdb
[PATCH 3/3] IPA: Return and save all SELinux rules in the provider https://fedorahosted.org/sssd/ticket/1421