Why am I a guest on Fedora 18?

Daniel J Walsh dwalsh at redhat.com
Tue Nov 13 22:07:05 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote:
> On 11/13/12 11:48, Daniel J Walsh wrote:
>> On 11/13/2012 02:45 PM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 11/13/12 11:24, Rob Crittenden wrote:
>>>>> Erinn Looney-Triggs wrote:
>>>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>> 
>>>>>> 
>>>>>> I am assuming you meant run this: selinuxdefcon erinn 
>>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>>> 
>>>>>> Which in turn resulted in this: 
>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>> 
>>>>> In F-18 you have a version of sssd that actually CAN do selinux
>>>>> user mapping.
>>>>> 
>>>>> Run ipa config-show and I'll bet the default SELinux user is
>>>>> guest_u.
>>>>> 
>>>>> Try this as an admin user:
>>>>> 
>>>>> $ ipa config-mod 
>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>>> 
>>>>> Then try the login again.
>>>>> 
>>>>> rob
>>>> 
>>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me
>>>> a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with
>>>> 2.34 server at u'https://ipa.foo.com/ipa/xml'
>> 
>>> Yeah, you can talk with an older client to a newer server, but not the 
>>> other way around.
>> 
>>>> However, when run from RHEL systems it did indeed show what you 
>>>> expected.
>>>> 
>>>> I modified the default context to unconfined_u and after clearing the
>>>>  sssd cache I logged back in as unconfined_u.
>>>> 
>>>> Thanks so much for the help in tracking that down,
>> 
>>> Excellent news!
>> 
>>> rob
>> 
>> 
>> This points out a couple of things.  1 we need to stop allowing users to
>> login if the login is not allowed via pam_selinux, and secondly we should
>> report in syslog where the configuration came from, since most people are
>> going to expect the default.
>> 
>> semanage login -l needs to be updated to show these files also.
>> 
> 
> I agree. Would you like me to open tickets for these, or can you chaps 
> handle it amongst yourselves?
> 
> -Erinn
> 
> 
Please open a ticket.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCixIkACgkQrlYvE4MpobOSJQCfRS5cz6nJpYyCsYmmDngjtESR
hvIAnRUMI9XFS61W1g7L13UjvnWb1Jyx
=zp9D
-----END PGP SIGNATURE-----

More information about the selinux mailing list