Been trying to figure this one out for a bit.
erinn@thin-mint ~ $ id -Z guest_u:guest_r:oddjob_mkhomedir_t:s0
Fine, well not fine, but given that the homedir was created by oddjob since this is an IPA client, it makes sense.
However:
erinn@thin-mint ~ $ sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
erinn unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Ok so I should be an unconfined-U according to this mapping, right?
Is this perhaps SSSD interfering? This F18 client is running against a RHEL 6.3 IPA server, fully updated. I tried to work with the SELinux mappings in IPA, however, I was informed that as of 6.3 they are almost totally broken and to wait for the next release.
Anyway, any ideas?
-Erinn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/13/2012 11:37 AM, Erinn Looney-Triggs wrote:
Been trying to figure this one out for a bit.
erinn@thin-mint ~ $ id -Z guest_u:guest_r:oddjob_mkhomedir_t:s0
Fine, well not fine, but given that the homedir was created by oddjob since this is an IPA client, it makes sense.
However:
erinn@thin-mint ~ $ sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
erinn unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Ok so I should be an unconfined-U according to this mapping, right?
Is this perhaps SSSD interfering? This F18 client is running against a RHEL 6.3 IPA server, fully updated. I tried to work with the SELinux mappings in IPA, however, I was informed that as of 6.3 they are almost totally broken and to wait for the next release.
Anyway, any ideas?
-Erinn
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well O have no idea, first make sure your login program has the correct label.
On 11/13/12 10:40, Daniel J Walsh wrote:
On 11/13/2012 11:37 AM, Erinn Looney-Triggs wrote:
Been trying to figure this one out for a bit.
erinn@thin-mint ~ $ id -Z guest_u:guest_r:oddjob_mkhomedir_t:s0
Fine, well not fine, but given that the homedir was created by oddjob since this is an IPA client, it makes sense.
However:
erinn@thin-mint ~ $ sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
erinn unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Ok so I should be an unconfined-U according to this mapping, right?
Is this perhaps SSSD interfering? This F18 client is running against a RHEL 6.3 IPA server, fully updated. I tried to work with the SELinux mappings in IPA, however, I was informed that as of 6.3 they are almost totally broken and to wait for the next release.
Anyway, any ideas?
-Erinn
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well O have no idea, first make sure your login program has the correct label.
Well hell Dan if you don't know I might be in some serious trouble ;).
ls -lZ $(which gdm) -rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/sbin/gdm
I did a relabel of the entire file system just to make sure, still came up as guest_u. Though interestingly, to me at least, it relabelled a bunch of files in my homedir unconfined_u, though not all of them.
I haven't done any customization of SELinux on this system, this was a straight clean install of Fedora 18 Alpha.
Any other theories?
-Erinn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/13/2012 01:54 PM, Erinn Looney-Triggs wrote:
On 11/13/12 10:40, Daniel J Walsh wrote:
On 11/13/2012 11:37 AM, Erinn Looney-Triggs wrote:
Been trying to figure this one out for a bit.
erinn@thin-mint ~ $ id -Z guest_u:guest_r:oddjob_mkhomedir_t:s0
Fine, well not fine, but given that the homedir was created by oddjob since this is an IPA client, it makes sense.
However:
erinn@thin-mint ~ $ sudo semanage login -l
Login Name SELinux User MLS/MCS Range
__default__ unconfined_u s0-s0:c0.c1023
erinn unconfined_u s0-s0:c0.c1023
root unconfined_u s0-s0:c0.c1023
system_u system_u s0-s0:c0.c1023
Ok so I should be an unconfined-U according to this mapping, right?
Is this perhaps SSSD interfering? This F18 client is running against a RHEL 6.3 IPA server, fully updated. I tried to work with the SELinux mappings in IPA, however, I was informed that as of 6.3 they are almost totally broken and to wait for the next release.
Anyway, any ideas?
-Erinn
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
Well O have no idea, first make sure your login program has the correct label.
Well hell Dan if you don't know I might be in some serious trouble ;).
ls -lZ $(which gdm) -rwxr-xr-x. root root system_u:object_r:xdm_exec_t:s0 /usr/sbin/gdm
I did a relabel of the entire file system just to make sure, still came up as guest_u. Though interestingly, to me at least, it relabelled a bunch of files in my homedir unconfined_u, though not all of them.
I haven't done any customization of SELinux on this system, this was a straight clean install of Fedora 18 Alpha.
Any other theories?
-Erinn
ps -eZ | grep gdm
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/13/2012 01:58 PM, Erinn Looney-Triggs wrote:
On 11/13/12 10:57, Daniel J Walsh wrote:
ps -eZ | grep gdm
system_u:system_r:xdm_t:s0-s0:c0.c1023 757 ? 00:00:00 gdm-binary system_u:system_r:xdm_t:s0-s0:c0.c1023 1103 ? 00:00:00 gdm-simple-slav system_u:system_r:xdm_t:s0-s0:c0.c1023 1469 ? 00:00:00 gdm-session-wor
-Erinn
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-Erinn
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
-Erinn
Erinn Looney-Triggs wrote:
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the other way around.
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
Excellent news!
rob
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/13/2012 02:45 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the other way around.
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
Excellent news!
rob
This points out a couple of things. 1 we need to stop allowing users to login if the login is not allowed via pam_selinux, and secondly we should report in syslog where the configuration came from, since most people are going to expect the default.
semanage login -l needs to be updated to show these files also.
On 11/13/12 11:48, Daniel J Walsh wrote:
On 11/13/2012 02:45 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote:
selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the other way around.
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
Excellent news!
rob
This points out a couple of things. 1 we need to stop allowing users to login if the login is not allowed via pam_selinux, and secondly we should report in syslog where the configuration came from, since most people are going to expect the default.
semanage login -l needs to be updated to show these files also.
I agree. Would you like me to open tickets for these, or can you chaps handle it amongst yourselves?
-Erinn
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote:
On 11/13/12 11:48, Daniel J Walsh wrote:
On 11/13/2012 02:45 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:05, Daniel J Walsh wrote: > selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
I am assuming you meant run this: selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023
Which in turn resulted in this: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the other way around.
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
Excellent news!
rob
This points out a couple of things. 1 we need to stop allowing users to login if the login is not allowed via pam_selinux, and secondly we should report in syslog where the configuration came from, since most people are going to expect the default.
semanage login -l needs to be updated to show these files also.
I agree. Would you like me to open tickets for these, or can you chaps handle it amongst yourselves?
-Erinn
Please open a ticket.
On 11/13/2012 2:07 PM, Daniel J Walsh wrote:
On 11/13/2012 02:53 PM, Erinn Looney-Triggs wrote:
On 11/13/12 11:48, Daniel J Walsh wrote:
On 11/13/2012 02:45 PM, Rob Crittenden wrote:
Erinn Looney-Triggs wrote:
On 11/13/12 11:24, Rob Crittenden wrote:
Erinn Looney-Triggs wrote: > On 11/13/12 11:05, Daniel J Walsh wrote: >> selinuxdefcon erinn system_u:system_r:xdm_t:s0-s0:c0.c1023 >> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > > I am assuming you meant run this: selinuxdefcon erinn > system_u:system_r:xdm_t:s0-s0:c0.c1023 > > Which in turn resulted in this: > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
In F-18 you have a version of sssd that actually CAN do selinux user mapping.
Run ipa config-show and I'll bet the default SELinux user is guest_u.
Try this as an admin user:
$ ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
Then try the login again.
rob
Rob, Thanks you are probably correct, unfortunately the CLI netted me a failure: ipa config-show ipa: ERROR: 2.44 client incompatible with 2.34 server at u'https://ipa.foo.com/ipa/xml'
Yeah, you can talk with an older client to a newer server, but not the other way around.
However, when run from RHEL systems it did indeed show what you expected.
I modified the default context to unconfined_u and after clearing the sssd cache I logged back in as unconfined_u.
Thanks so much for the help in tracking that down,
Excellent news!
rob
This points out a couple of things. 1 we need to stop allowing users to login if the login is not allowed via pam_selinux, and secondly we should report in syslog where the configuration came from, since most people are going to expect the default.
semanage login -l needs to be updated to show these files also.
I agree. Would you like me to open tickets for these, or can you chaps handle it amongst yourselves?
-Erinn
Please open a ticket.
Done: https://bugzilla.redhat.com/show_bug.cgi?id=876363
Hopefully it is clear enough.
-Erinn
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Erinn Looney-Triggs -
Rob Crittenden