[Freeipa-users] Error in selinux child: libsemanage can't parse spaces in AD user names
Lachlan Musicman
datakid at gmail.com
Fri Jul 15 02:56:39 UTC 2016
This line:
We have SELinux disabled on all of our servers, but we hadn't disabled this
check in sssd.conf. So we enabled it in sssd.conf and everything worked
fine.
Should read that we *disabled* selinux.
selinux_provider = none
Cheers
L.
------
The most dangerous phrase in the language is, "We've always done it this
way."
- Grace Hopper
On 15 July 2016 at 11:27, Lachlan Musicman <datakid at gmail.com> wrote:
> Hey,
>
> While hunting this sssd/hbac/AD user problem, I noticed in the
> selinux_child.log a lot of errors that look like this:
>
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [get_seuser]
> (0x0020): Cannot query for galaxy
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 09:40:29 2016) [[sssd[selinux_child[5446]]]] [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
> context initialized
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [get_seuser]
> (0x0020): Cannot query for simpsonlachlan at petermac.org.au
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
> ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [set_seuser]
> (0x0020): Cannot verify the SELinux user
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
> Cannot set SELinux login context.
> (Thu Jul 14 10:21:32 2016) [[sssd[selinux_child[5504]]]] [main] (0x0020):
> selinux_child failed!
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
> selinux_child started.
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
> context initialized
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [main] (0x0400):
> performing selinux operations
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/active//seusers.final: 10):
> ellul jason at petermac.org.au:unconfined_u:s0-s0:c0.c1023
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
> (0x0020): could not parse seuser record
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
> (0x0020): could not cache file database
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
> (0x0020): could not enter read-only section
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [get_seuser]
> (0x0020): Cannot query for madhamshettiwar piyu at petermac.org.au
> (Thu Jul 14 10:37:14 2016) [[sssd[selinux_child[5585]]]] [libsemanage]
> (0x0020): expected character ':', but found 'j'
> (/etc/selinux/targeted/modules/tmp//seusers.final: 10):
>
>
>
> We have SELinux disabled on all of our servers, but we hadn't disabled
> this check in sssd.conf. So we enabled it in sssd.conf and everything
> worked fine.
>
> But it should be noted that this check seems to be failing on a space in
> the AD user names.
>
> (I know, spaces in user names is weird, wrong and embarrassing, but it's
> not my department. A fantastic example of Technical Debt and why project
> planning and testing are best done before implementation.)
>
> cheers
> L.
> ------
> The most dangerous phrase in the language is, "We've always done it this
> way."
>
> - Grace Hopper
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160715/788eaee8/attachment.htm>
More information about the Freeipa-users
mailing list