Why am I a guest on Fedora 18?
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 13 22:07:05 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote:
> On 11/13/12 11:48, Daniel J Walsh wrote:
>> On 11/13/2012 02:45 PM, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 11/13/12 11:24, Rob Crittenden wrote:
>>>>> Erinn Looney-Triggs wrote:
>>>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>>
>>>>>>
>>>>>> I am assuming you meant run this: selinuxdefcon erinn
>>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>>>
>>>>>> Which in turn resulted in this:
>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>
>>>>> In F-18 you have a version of sssd that actually CAN do selinux
>>>>> user mapping.
>>>>>
>>>>> Run ipa config-show and I'll bet the default SELinux user is
>>>>> guest_u.
>>>>>
>>>>> Try this as an admin user:
>>>>>
>>>>> $ ipa config-mod
>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>>>
>>>>> Then try the login again.
>>>>>
>>>>> rob
>>>>
>>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me
>>>> a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with
>>>> 2.34 server at u'https://ipa.foo.com/ipa/xml'
>>
>>> Yeah, you can talk with an older client to a newer server, but not the
>>> other way around.
>>
>>>> However, when run from RHEL systems it did indeed show what you
>>>> expected.
>>>>
>>>> I modified the default context to unconfined_u and after clearing the
>>>> sssd cache I logged back in as unconfined_u.
>>>>
>>>> Thanks so much for the help in tracking that down,
>>
>>> Excellent news!
>>
>>> rob
>>
>>
>> This points out a couple of things. 1 we need to stop allowing users to
>> login if the login is not allowed via pam_selinux, and secondly we should
>> report in syslog where the configuration came from, since most people are
>> going to expect the default.
>>
>> semanage login -l needs to be updated to show these files also.
>>
>
> I agree. Would you like me to open tickets for these, or can you chaps
> handle it amongst yourselves?
>
> -Erinn
>
>
Please open a ticket.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlCixIkACgkQrlYvE4MpobOSJQCfRS5cz6nJpYyCsYmmDngjtESR
hvIAnRUMI9XFS61W1g7L13UjvnWb1Jyx
=zp9D
-----END PGP SIGNATURE-----
More information about the selinux
mailing list