On 11/13/12 11:24, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 11/13/12 11:05, Daniel J Walsh wrote: >>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >> >> >> I am assuming you meant run this: >> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >> >> Which in turn resulted in this: >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > In F-18 you have a version of sssd that actually CAN do selinux user > mapping. > > Run ipa config-show and I'll bet the default SELinux user is guest_u. > > Try this as an admin user: > > $ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 > > Then try the login again. > > rob Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml' However, when run from RHEL systems it did indeed show what you expected. I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u. Thanks so much for the help in tracking that down, -Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
