Re: Why am I a guest on Fedora 18?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/13/12 11:48, Daniel J Walsh wrote:
> On 11/13/2012 02:45 PM, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> On 11/13/12 11:24, Rob Crittenden wrote:
>>>> Erinn Looney-Triggs wrote:
>>>>> On 11/13/12 11:05, Daniel J Walsh wrote:
>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 
>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>>
>>>>>
>>>>> I am assuming you meant run this: selinuxdefcon erinn
>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023
>>>>>
>>>>> Which in turn resulted in this: 
>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>>>
>>>> In F-18 you have a version of sssd that actually CAN do selinux user 
>>>> mapping.
>>>>
>>>> Run ipa config-show and I'll bet the default SELinux user is guest_u.
>>>>
>>>> Try this as an admin user:
>>>>
>>>> $ ipa config-mod
>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>>
>>>> Then try the login again.
>>>>
>>>> rob
>>>
>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me a
>>> failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34
>>> server at u'https://ipa.foo.com/ipa/xml'
> 
>> Yeah, you can talk with an older client to a newer server, but not the
>> other way around.
> 
>>> However, when run from RHEL systems it did indeed show what you
>>> expected.
>>>
>>> I modified the default context to unconfined_u and after clearing the 
>>> sssd cache I logged back in as unconfined_u.
>>>
>>> Thanks so much for the help in tracking that down,
> 
>> Excellent news!
> 
>> rob
> 
> 
> This points out a couple of things.  1 we need to stop allowing users to login
> if the login is not allowed via pam_selinux, and secondly we should report in
> syslog where the configuration came from, since most people are going to
> expect the default.
> 
> semanage login -l needs to be updated to show these files also.
> 

I agree. Would you like me to open tickets for these, or can you chaps
handle it amongst yourselves?

-Erinn


Attachment: signature.asc
Description: OpenPGP digital signature

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux