[Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3
Martin Kosek
mkosek at redhat.com
Wed Jan 9 09:02:19 UTC 2013
On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote:
> On 01/08/13 12:45, Rob Crittenden wrote:
>> Erinn Looney-Triggs wrote:
>>> On 01/08/13 11:44, Rob Crittenden wrote:
>>>> Simo Sorce wrote:
>>>>> On Tue, 2013-01-08 at 19:31 +0000, Steven Jones wrote:
>>>>>> HI,
>>>>>>
>>>>>> I assume RHEL 6.4 is GA shortly just how straigh forward is the
>>>>>> upgrade from one IPA version to another please? regards
>>>>>
>>>>> Should just require an rpm upgrade and a restart and nothing
>>>>> else.
>>>>>
>>>>> Simo.
>>>>>
>>>>
>>>> If you have multiple servers you'll want to upgrade them one at a
>>>> time in a short period (days, not weeks).
>>>>
>>>> rob
>>>>
>>>> _______________________________________________ Freeipa-users
>>>> mailing list Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>> Is this the release where SELinux mapping in IPA actually starts
>>> working?
>>>
>>> If so that is definitely something to watch out for (I realize this
>>> is more of an SSSD thing, but still). If you aren't careful and you
>>> have your users mapped to something like guest_u, well the upgrade can
>>> be very inconvenient for them.
>>
>> I believe this was fixed.
>>
>> rob
>
> Ok I am just going off of this:
> https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear
> like it will be documented but there isn't much you can do about the
> default being set to guest_u.
>
> However, if it is fixed that is great news.
>
> -Erinn
Hello Erinn,
Just to make things clear, it is "fixed" by means that it is documented and
the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only
applies for new IPA server installations. As for the upgraded installs, you
want to check default SELinux user to ensure that it is set to a value that
you want (probably unconfined_u:s0-s0:c0.c1023).
We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023
in the upgrade process as we cannot know if some user does not have it set to
guest_u on purpose.
Thanks for understanding,
Martin
More information about the Freeipa-users
mailing list