Dne pátek 22 června 2012 15:27:14, Jan Zelený napsal(a):
Dne pátek 22 června 2012 09:15:15, Rob Crittenden napsal(a):
> Jan Zelený wrote:
> > This patch modifies behavior of SSSD when putting together content of
> > user config file for pam_selinux. SSSD will now pick only the first user
> > map in the priority list which matches to the user logging in. Other
> > maps
> > are ignored.
> >
> >
https://fedorahosted.org/sssd/ticket/1360
> >
> > Rob, please confirm that this is the right and expected behavior.
> >
> > Thanks
> > Jan
>
> What you have described sounds right. I don't have enough context in
> sssd to know whether this patch will achieve that.
I realize that. I just wanted to verify that the described behavior is
correct. The patch itself will be reviewed by someone else from SSSD team.
Thank you for the confirmation
Self-NACK after a discussion on IRC.
The problem with this patch is that user will receive only the lowest
permissions possible because of the order of SELinux user priority list stored
on IPA server. We want it exactly the other way.
Another patch coming soon.
Thanks
Jan