[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
Lachlan Musicman
datakid at gmail.com
Fri Jul 15 01:27:24 UTC 2016
Hey,
While hunting this sssd/hbac/AD user problem, I noticed in the
selinux_child.log a lot of errors that look like this:
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser]
(0x0020): Cannot query for galaxy
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
context initialized
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser]
(0x0020): Cannot query for simpsonlachlan at petermac.org.au
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser]
(0x0020): Cannot verify the SELinux user
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
Cannot set SELinux login context.
(Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
selinux_child failed!
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
selinux_child started.
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
context initialized
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
performing selinux operations
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/active//seusers.final: 10):
ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not parse seuser record
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not cache file database
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): could not enter read-only section
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser]
(0x0020): Cannot query for madhamshettiwar piyu at petermac.org.au
(Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
(0x0020): expected character ':', but found 'j'
(/etc/selinux/targeted/modules/tmp//seusers.final: 10):
We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.
But it should be noted that this check seems to be failing on a space in
the AD user names.
(I know, spaces in user names is weird, wrong and embarrassing, but it's
not my department. A fantastic example of Technical Debt and why project
planning and testing are best done before implementation.)
cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/5b5f2f7c/attachment.htm>
More information about the Freeipa-users
mailing list