Why am I a guest on Fedora 18?

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Tue Nov 13 22:53:12 UTC 2012 

On 11/13/2012 2:07 PM, Daniel J Walsh wrote:
> On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote:
>> On 11/13/12 11:48, Daniel J Walsh wrote:
>>> On 11/13/2012 02:45 PM, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> On 11/13/12 11:24, Rob Crittenden wrote:
>>>>>> Erinn Looney-Triggs wrote:
>>>>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>>>
>>>>>>>
>>>>>>> I am assuming you meant run this: selinuxdefcon erinn 
>>>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>>>>
>>>>>>> Which in turn resulted in this: 
>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>>
>>>>>> In F-18 you have a version of sssd that actually CAN do selinux
>>>>>> user mapping.
>>>>>>
>>>>>> Run ipa config-show and I'll bet the default SELinux user is
>>>>>> guest_u.
>>>>>>
>>>>>> Try this as an admin user:
>>>>>>
>>>>>> $ ipa config-mod 
>>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>>>>
>>>>>> Then try the login again.
>>>>>>
>>>>>> rob
>>>>>
>>>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me
>>>>> a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with
>>>>> 2.34 server at u'https://ipa.foo.com/ipa/xml'
>>>
>>>> Yeah, you can talk with an older client to a newer server, but not the 
>>>> other way around.
>>>
>>>>> However, when run from RHEL systems it did indeed show what you 
>>>>> expected.
>>>>>
>>>>> I modified the default context to unconfined_u and after clearing the
>>>>>  sssd cache I logged back in as unconfined_u.
>>>>>
>>>>> Thanks so much for the help in tracking that down,
>>>
>>>> Excellent news!
>>>
>>>> rob
>>>
>>>
>>> This points out a couple of things.  1 we need to stop allowing users to
>>> login if the login is not allowed via pam_selinux, and secondly we should
>>> report in syslog where the configuration came from, since most people are
>>> going to expect the default.
>>>
>>> semanage login -l needs to be updated to show these files also.
>>>
> 
>> I agree. Would you like me to open tickets for these, or can you chaps 
>> handle it amongst yourselves?
> 
>> -Erinn
> 
> 
> Please open a ticket.
> 

Done: https://bugzilla.redhat.com/show_bug.cgi?id=876363

Hopefully it is clear enough.

-Erinn

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20121113/e21da867/attachment-0001.sig>

More information about the selinux mailing list