SELinux preventing login (Fedora 16)
Daniel J Walsh
dwalsh at redhat.com
Fri Apr 13 14:31:15 UTC 2012
On 04/13/2012 01:06 AM, Braden McDaniel wrote:
> On Thu, 2012-04-12 at 22:55 -0400, Daniel J Walsh wrote:
>> On 04/12/2012 08:47 PM, Braden McDaniel wrote:
>
> [snip]
>
>>> I am using Kerberos for authentication; but I'm using LDAP for user
>>> information.
>>>
>>> (Though I get the impression that login is currently falling back to
>>> local authentication; because I don't have a Kerberos ticket after I
>>> log in.)
>>>
>> But you are not use sssd for this.
>
> I am under the impression that I am using sssd.
>
>> Anyways do you still believe you are having SELinux issues?
>
> Since I haven't seen any more alerts, I don't think I am. If you are
> sufficiently curious, I can unset authlogin_nsswitch_use_ldap and see what
> happens.
>
Basically in Fedora 16 we turned off the ability for apps that did getpw()
from being able to connect to the ldap port, by default. Turning that boolean
on, allows all domains that call getpw to connect to the ldap port. We turned
this off because sssd now connects to ldap if it is setup and apps calling
getpw talk to sssd rather then ldap. We have seen some daemons (samba) that
talk directly that we have broken with this change, but I believe the fixes
are going into Fedora now.
More information about the users
mailing list