Why am I a guest on Fedora 18?

Daniel J Walsh dwalsh at redhat.com
Tue Nov 13 19:48:44 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 02:45 PM, Rob Crittenden wrote:
> Erinn Looney-Triggs wrote:
>> On 11/13/12 11:24, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>> 
>>>> 
>>>> I am assuming you meant run this: selinuxdefcon erinn
>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>> 
>>>> Which in turn resulted in this: 
>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>> 
>>> In F-18 you have a version of sssd that actually CAN do selinux user 
>>> mapping.
>>> 
>>> Run ipa config-show and I'll bet the default SELinux user is guest_u.
>>> 
>>> Try this as an admin user:
>>> 
>>> $ ipa config-mod
>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>> 
>>> Then try the login again.
>>> 
>>> rob
>> 
>> Rob, Thanks you are probably correct, unfortunately the CLI netted me a
>> failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34
>> server at u'https://ipa.foo.com/ipa/xml'
> 
> Yeah, you can talk with an older client to a newer server, but not the
> other way around.
> 
>> However, when run from RHEL systems it did indeed show what you
>> expected.
>> 
>> I modified the default context to unconfined_u and after clearing the 
>> sssd cache I logged back in as unconfined_u.
>> 
>> Thanks so much for the help in tracking that down,
> 
> Excellent news!
> 
> rob
> 

This points out a couple of things.  1 we need to stop allowing users to login
if the login is not allowed via pam_selinux, and secondly we should report in
syslog where the configuration came from, since most people are going to
expect the default.

semanage login -l needs to be updated to show these files also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCipBsACgkQrlYvE4MpobOdqwCfaeKtM/3QHMQL7bvSwjqUdBUT
sfgAnRep0+nwmygpMj8lwwvFidIGY8os
=PiHa
-----END PGP SIGNATURE-----

More information about the selinux mailing list