Why am I a guest on Fedora 18?
Rob Crittenden
rcritten at redhat.com
Tue Nov 13 19:45:48 UTC 2012
Erinn Looney-Triggs wrote:
> On 11/13/12 11:24, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>
>>>
>>> I am assuming you meant run this:
>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>
>>> Which in turn resulted in this:
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> In F-18 you have a version of sssd that actually CAN do selinux user
>> mapping.
>>
>> Run ipa config-show and I'll bet the default SELinux user is guest_u.
>>
>> Try this as an admin user:
>>
>> $ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>
>> Then try the login again.
>>
>> rob
>
> Rob,
> Thanks you are probably correct, unfortunately the CLI netted me a failure:
> ipa config-show
> ipa: ERROR: 2.44 client incompatible with 2.34 server at
> u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the
other way around.
> However, when run from RHEL systems it did indeed show what you expected.
>
> I modified the default context to unconfined_u and after clearing the
> sssd cache I logged back in as unconfined_u.
>
> Thanks so much for the help in tracking that down,
Excellent news!
rob
More information about the selinux
mailing list