[Freeipa-users] SELinux user mapping

Erinn Looney-Triggs erinn.looneytriggs at gmail.com
Wed Aug 29 07:26:01 UTC 2012 

On 08/28/2012 11:23 PM, Jakub Hrozek wrote:
> On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote:
>> I am hoping I haven't missed something here, but it appears that the
>> SELinux user mapping portion is not working for me. This is tested on a
>> RHEL 6.3 client and server.
>>
>> The rule I have:
>>
>>   Rule name: Developers staff_U
>>   SELinux User: staff_u:s0-s0:c0.c1023
>>   Description: Confines developers on dev machines to the staff_u role,
>> allowing them to run sudo.
>>   Enabled: TRUE
>>   User Groups: developers
>>   Host Groups: developer_systems
>>
>> What this rule seems to say, at least to me, is members of the
>> developers groups, on a system in the developer_systems group, should be
>> mapped to staff_u.
>>
>> However when logging in as a test user that is a member of that group,
>> on a member host of the developer_systems group, id -Z lists the user as
>> unconfined: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
>>
>> Is there some modification to the sssd config that needs to be made, or
>> possibly something in PAM?
>>
>> Thanks,
>>
>> -Erinn
>>
> 
> Hi Erinn,
> 
> unfortunately, the SELinux mapping feature was completely broken in 6.3.
> 
> We've been working on fixing all the bugs during the 6.4 development,
> ended up pretty much rewriting the feature from scratch and as far as I
> know, it's working fine in the 1.9 pre-release.
> 
> SSSD 1.9 is going to be part of 6.4..alternatively, the pre-releases
> were already built for Fedora 18.
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
> 

Well that explains that. Glad it wasn't just me.

Thanks for the info,
-Erinn


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120828/89fcdae8/attachment.sig>

More information about the Freeipa-users mailing list