[Freeipa-users] IPA clashing with selinux on users home directories

[Steven Jones]

Thanks, I can put that in Sat.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: Simo Sorce [simo at redhat.com]
Sent: Friday, 9 March 2012 10:35 a.m.
To: Steven Jones
Cc: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] IPA clashing with selinux on users home directories

On Thu, 2012-03-08 at 21:27 +0000, Steven Jones wrote:
> Hi,
>
> I used ipa-client-install --mkhomedir
>
> How do I change that so it will do so properly?
>
> regards
>
> Steven Jones
>
> Technical Specialist - Linux RHCE
>
> Victoria University, Wellington, NZ
>
> 0064 4 463 6272
>
> ________________________________________
> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Stephen Gallagher [sgallagh at redhat.com]
> Sent: Friday, 9 March 2012 9:43 a.m.
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] IPA clashing with selinux on users home directories
>
> On Thu, 2012-03-08 at 20:14 +0000, Steven Jones wrote:
> > Hi,
> >
> > I am setting up some IPA users what I have noticed is if I or they type
> > startx to start a gui locking the .Xauthority fails, if I setenforce 0
> > then it works fine.....I have never seen this behaviour before and
> > googling suggests its an IPA and selinux conflict.
> >
> > and in fact when I create a local user they get an instant gui from
> > running startx...
> >
>
> I'm guessing you're creating your home directories with the help of
> pam_mkhomedir.so. This won't work with SELinux. You need to install and
> use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux
> contexts for your users.

If you install oddjob_homedir before running ipa-client-install then it
should pick that up automatically.

We already have a patch upstream to require oddjob-mkhomedir at rpm
install.

Simo.

--
Simo Sorce * Red Hat, Inc * New York