-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote: > On 11/13/12 11:48, Daniel J Walsh wrote: >> On 11/13/2012 02:45 PM, Rob Crittenden wrote: >>> Erinn Looney-Triggs wrote: >>>> On 11/13/12 11:24, Rob Crittenden wrote: >>>>> Erinn Looney-Triggs wrote: >>>>>> On 11/13/12 11:05, Daniel J Walsh wrote: >>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>>>> >>>>>> >>>>>> I am assuming you meant run this: selinuxdefcon erinn >>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>>> >>>>>> Which in turn resulted in this: >>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>>> >>>>> In F-18 you have a version of sssd that actually CAN do selinux >>>>> user mapping. >>>>> >>>>> Run ipa config-show and I'll bet the default SELinux user is >>>>> guest_u. >>>>> >>>>> Try this as an admin user: >>>>> >>>>> $ ipa config-mod >>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 >>>>> >>>>> Then try the login again. >>>>> >>>>> rob >>>> >>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me >>>> a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with >>>> 2.34 server at u'https://ipa.foo.com/ipa/xml' >> >>> Yeah, you can talk with an older client to a newer server, but not the >>> other way around. >> >>>> However, when run from RHEL systems it did indeed show what you >>>> expected. >>>> >>>> I modified the default context to unconfined_u and after clearing the >>>> sssd cache I logged back in as unconfined_u. >>>> >>>> Thanks so much for the help in tracking that down, >> >>> Excellent news! >> >>> rob >> >> >> This points out a couple of things. 1 we need to stop allowing users to >> login if the login is not allowed via pam_selinux, and secondly we should >> report in syslog where the configuration came from, since most people are >> going to expect the default. >> >> semanage login -l needs to be updated to show these files also. >> > > I agree. Would you like me to open tickets for these, or can you chaps > handle it amongst yourselves? > > -Erinn > > Please open a ticket. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCixIkACgkQrlYvE4MpobOSJQCfRS5cz6nJpYyCsYmmDngjtESR hvIAnRUMI9XFS61W1g7L13UjvnWb1Jyx =zp9D -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
