[Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

Martin Kosek mkosek at redhat.com
Wed Jan 9 09:02:19 UTC 2013 

On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote:
> On 01/08/13 12:45, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> On 01/08/13 11:44, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Tue, 2013-01-08 at 19:31 +0000, Steven Jones wrote:
>>>>>> HI,
>>>>>> 
>>>>>> I assume RHEL 6.4 is GA shortly just how straigh forward is the 
>>>>>> upgrade from one IPA version to another please? regards
>>>>> 
>>>>> Should just require an rpm upgrade and a restart and nothing
>>>>> else.
>>>>> 
>>>>> Simo.
>>>>> 
>>>> 
>>>> If you have multiple servers you'll want to upgrade them one at a
>>>> time in a short period (days, not weeks).
>>>> 
>>>> rob
>>>> 
>>>> _______________________________________________ Freeipa-users
>>>> mailing list Freeipa-users at redhat.com 
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> 
>>> Is this the release where SELinux mapping in IPA actually starts
>>> working?
>>> 
>>> If so that is definitely something to watch out for (I realize this
>>> is more of an SSSD thing, but still). If you aren't careful and you
>>> have your users mapped to something like guest_u, well the upgrade can
>>> be very inconvenient for them.
>> 
>> I believe this was fixed.
>> 
>> rob
> 
> Ok I am just going off of this: 
> https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear 
> like it will be documented but there isn't much you can do about the 
> default being set to guest_u.
> 
> However, if it is fixed that is great news.
> 
> -Erinn

Hello Erinn,
Just to make things clear, it is "fixed" by means that it is documented and
the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only
applies for new IPA server installations. As for the upgraded installs, you
want to check default SELinux user to ensure that it is set to a value that
you want (probably unconfined_u:s0-s0:c0.c1023).

We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023
in the upgrade process as we cannot know if some user does not have it set to
guest_u on purpose.

Thanks for understanding,
Martin

More information about the Freeipa-users mailing list