Why am I a guest on Fedora 18?
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 13 19:48:44 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/13/2012 02:45 PM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 11/13/12 11:24, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>
>>>>
>>>> I am assuming you meant run this: selinuxdefcon erinn
>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>
>>>> Which in turn resulted in this:
>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>
>>> In F-18 you have a version of sssd that actually CAN do selinux user
>>> mapping.
>>>
>>> Run ipa config-show and I'll bet the default SELinux user is guest_u.
>>>
>>> Try this as an admin user:
>>>
>>> $ ipa config-mod
>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>
>>> Then try the login again.
>>>
>>> rob
>>
>> Rob, Thanks you are probably correct, unfortunately the CLI netted me a
>> failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34
>> server at u'https://ipa.foo.com/ipa/xml'
>
> Yeah, you can talk with an older client to a newer server, but not the
> other way around.
>
>> However, when run from RHEL systems it did indeed show what you
>> expected.
>>
>> I modified the default context to unconfined_u and after clearing the
>> sssd cache I logged back in as unconfined_u.
>>
>> Thanks so much for the help in tracking that down,
>
> Excellent news!
>
> rob
>
This points out a couple of things. 1 we need to stop allowing users to login
if the login is not allowed via pam_selinux, and secondly we should report in
syslog where the configuration came from, since most people are going to
expect the default.
semanage login -l needs to be updated to show these files also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCipBsACgkQrlYvE4MpobOdqwCfaeKtM/3QHMQL7bvSwjqUdBUT
sfgAnRep0+nwmygpMj8lwwvFidIGY8os
=PiHa
-----END PGP SIGNATURE-----
More information about the selinux
mailing list