[Freeipa-users] SELinux user mapping
Jakub Hrozek
jhrozek at redhat.com
Wed Aug 29 07:23:03 UTC 2012
On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote:
> I am hoping I haven't missed something here, but it appears that the
> SELinux user mapping portion is not working for me. This is tested on a
> RHEL 6.3 client and server.
>
> The rule I have:
>
> Rule name: Developers staff_U
> SELinux User: staff_u:s0-s0:c0.c1023
> Description: Confines developers on dev machines to the staff_u role,
> allowing them to run sudo.
> Enabled: TRUE
> User Groups: developers
> Host Groups: developer_systems
>
> What this rule seems to say, at least to me, is members of the
> developers groups, on a system in the developer_systems group, should be
> mapped to staff_u.
>
> However when logging in as a test user that is a member of that group,
> on a member host of the developer_systems group, id -Z lists the user as
> unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>
> Is there some modification to the sssd config that needs to be made, or
> possibly something in PAM?
>
> Thanks,
>
> -Erinn
>
Hi Erinn,
unfortunately, the SELinux mapping feature was completely broken in 6.3.
We've been working on fixing all the bugs during the 6.4 development,
ended up pretty much rewriting the feature from scratch and as far as I
know, it's working fine in the 1.9 pre-release.
SSSD 1.9 is going to be part of 6.4..alternatively, the pre-releases
were already built for Fedora 18.
More information about the Freeipa-users
mailing list