On 11/13/12 11:48, Daniel J Walsh wrote: > On 11/13/2012 02:45 PM, Rob Crittenden wrote: >> Erinn Looney-Triggs wrote: >>> On 11/13/12 11:24, Rob Crittenden wrote: >>>> Erinn Looney-Triggs wrote: >>>>> On 11/13/12 11:05, Daniel J Walsh wrote: >>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>>> >>>>> >>>>> I am assuming you meant run this: selinuxdefcon erinn >>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>> >>>>> Which in turn resulted in this: >>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>> >>>> In F-18 you have a version of sssd that actually CAN do selinux user >>>> mapping. >>>> >>>> Run ipa config-show and I'll bet the default SELinux user is guest_u. >>>> >>>> Try this as an admin user: >>>> >>>> $ ipa config-mod >>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 >>>> >>>> Then try the login again. >>>> >>>> rob >>> >>> Rob, Thanks you are probably correct, unfortunately the CLI netted me a >>> failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 >>> server at u'https://ipa.foo.com/ipa/xml' > >> Yeah, you can talk with an older client to a newer server, but not the >> other way around. > >>> However, when run from RHEL systems it did indeed show what you >>> expected. >>> >>> I modified the default context to unconfined_u and after clearing the >>> sssd cache I logged back in as unconfined_u. >>> >>> Thanks so much for the help in tracking that down, > >> Excellent news! > >> rob > > > This points out a couple of things. 1 we need to stop allowing users to login > if the login is not allowed via pam_selinux, and secondly we should report in > syslog where the configuration came from, since most people are going to > expect the default. > > semanage login -l needs to be updated to show these files also. > I agree. Would you like me to open tickets for these, or can you chaps handle it amongst yourselves? -Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
