[Freeipa-users] SELinux user mapping
Erinn Looney-Triggs
erinn.looneytriggs at gmail.com
Wed Aug 29 07:26:01 UTC 2012
On 08/28/2012 11:23 PM, Jakub Hrozek wrote:
> On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote:
>> I am hoping I haven't missed something here, but it appears that the
>> SELinux user mapping portion is not working for me. This is tested on a
>> RHEL 6.3 client and server.
>>
>> The rule I have:
>>
>> Rule name: Developers staff_U
>> SELinux User: staff_u:s0-s0:c0.c1023
>> Description: Confines developers on dev machines to the staff_u role,
>> allowing them to run sudo.
>> Enabled: TRUE
>> User Groups: developers
>> Host Groups: developer_systems
>>
>> What this rule seems to say, at least to me, is members of the
>> developers groups, on a system in the developer_systems group, should be
>> mapped to staff_u.
>>
>> However when logging in as a test user that is a member of that group,
>> on a member host of the developer_systems group, id -Z lists the user as
>> unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> Is there some modification to the sssd config that needs to be made, or
>> possibly something in PAM?
>>
>> Thanks,
>>
>> -Erinn
>>
>
> Hi Erinn,
>
> unfortunately, the SELinux mapping feature was completely broken in 6.3.
>
> We've been working on fixing all the bugs during the 6.4 development,
> ended up pretty much rewriting the feature from scratch and as far as I
> know, it's working fine in the 1.9 pre-release.
>
> SSSD 1.9 is going to be part of 6.4..alternatively, the pre-releases
> were already built for Fedora 18.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
Well that explains that. Glad it wasn't just me.
Thanks for the info,
-Erinn
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120828/89fcdae8/attachment.sig>
More information about the Freeipa-users
mailing list