On 11/13/2012 2:07 PM, Daniel J Walsh wrote: > On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote: >> On 11/13/12 11:48, Daniel J Walsh wrote: >>> On 11/13/2012 02:45 PM, Rob Crittenden wrote: >>>> Erinn Looney-Triggs wrote: >>>>> On 11/13/12 11:24, Rob Crittenden wrote: >>>>>> Erinn Looney-Triggs wrote: >>>>>>> On 11/13/12 11:05, Daniel J Walsh wrote: >>>>>>>> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>>>>> >>>>>>> >>>>>>> I am assuming you meant run this: selinuxdefcon erinn >>>>>>> system_u:system_r:xdm_t:s0-s0:c0.c1023 >>>>>>> >>>>>>> Which in turn resulted in this: >>>>>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 >>>>>> >>>>>> In F-18 you have a version of sssd that actually CAN do selinux >>>>>> user mapping. >>>>>> >>>>>> Run ipa config-show and I'll bet the default SELinux user is >>>>>> guest_u. >>>>>> >>>>>> Try this as an admin user: >>>>>> >>>>>> $ ipa config-mod >>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 >>>>>> >>>>>> Then try the login again. >>>>>> >>>>>> rob >>>>> >>>>> Rob, Thanks you are probably correct, unfortunately the CLI netted me >>>>> a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with >>>>> 2.34 server at u'https://ipa.foo.com/ipa/xml' >>> >>>> Yeah, you can talk with an older client to a newer server, but not the >>>> other way around. >>> >>>>> However, when run from RHEL systems it did indeed show what you >>>>> expected. >>>>> >>>>> I modified the default context to unconfined_u and after clearing the >>>>> sssd cache I logged back in as unconfined_u. >>>>> >>>>> Thanks so much for the help in tracking that down, >>> >>>> Excellent news! >>> >>>> rob >>> >>> >>> This points out a couple of things. 1 we need to stop allowing users to >>> login if the login is not allowed via pam_selinux, and secondly we should >>> report in syslog where the configuration came from, since most people are >>> going to expect the default. >>> >>> semanage login -l needs to be updated to show these files also. >>> > >> I agree. Would you like me to open tickets for these, or can you chaps >> handle it amongst yourselves? > >> -Erinn > > > Please open a ticket. > Done: https://bugzilla.redhat.com/show_bug.cgi?id=876363 Hopefully it is clear enough. -Erinn
Attachment:
signature.asc
Description: OpenPGP digital signature
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
