-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2012 02:45 PM, Rob Crittenden wrote: > Erinn Looney-Triggs wrote: >> On 11/13/12 11:24, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> On 11/13/12 11:05, Daniel J Walsh wrote: >>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>> >>>> >>>> I am assuming you meant run this: selinuxdefcon erinn >>>> system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>> >>>> Which in turn resulted in this: >>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>> >>> In F-18 you have a version of sssd that actually CAN do selinux user >>> mapping. >>> >>> Run ipa config-show and I'll bet the default SELinux user is guest_u. >>> >>> Try this as an admin user: >>> >>> $ ipa config-mod >>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 >>> >>> Then try the login again. >>> >>> rob >> >> Rob, Thanks you are probably correct, unfortunately the CLI netted me a >> failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 >> server at u'https://ipa.foo.com/ipa/xml' > > Yeah, you can talk with an older client to a newer server, but not the > other way around. > >> However, when run from RHEL systems it did indeed show what you >> expected. >> >> I modified the default context to unconfined_u and after clearing the >> sssd cache I logged back in as unconfined_u. >> >> Thanks so much for the help in tracking that down, > > Excellent news! > > rob > This points out a couple of things. 1 we need to stop allowing users to login if the login is not allowed via pam_selinux, and secondly we should report in syslog where the configuration came from, since most people are going to expect the default. semanage login -l needs to be updated to show these files also. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCipBsACgkQrlYvE4MpobOdqwCfaeKtM/3QHMQL7bvSwjqUdBUT sfgAnRep0+nwmygpMj8lwwvFidIGY8os =PiHa -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
