[Freeipa-users] Cannot login after patching on LXC Container

[Nuno Higgs]

Hello all,

I will reproduce the issue tomorrow morning on a fresh LXC container.
For the sestatus:

# sestatus
SELinux status:                 disabled

That isn’t surprising for the host is not se-enabled, or even a RHEL/CentOS.
The underlining distro supports apparmor profiles.
The crappy part is before we did this patch update, everything worked
perfectly, although with SE Disabled.

I will keep you posted on the LXC test

Thanks!
Nuno

-----Original Message-----
From: freeipa-users-bounces at redhat.com
[mailto:freeipa-users-bounces at redhat.com] On Behalf Of Lukas Slebodnik
Sent: terça-feira, 14 de fevereiro de 2017 19:13
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Cannot login after patching on LXC Container

On (14/02/17 18:52), Lukas Slebodnik wrote:
>On (14/02/17 18:28), Alexander Bokovoy wrote:
>>On ti, 14 helmi 2017, Nuno Higgs wrote:
>>> Hello,
>>> 
>>> It worked perfecty.
>>> I am wondering why this just popped up now with this patch update. 
>>> Almost none of our containers hosts (and by inherence the 
>>> containers) have SELINUX enabled for they are primary for testing, and
they are on a secure network.
>>> With this version of ipa-client, the host has to have SE enabled for 
>>> the container to inherit the definitions and policies of it?
>>As I said, this was an update in SELinux-related libraries and change 
>>of behavior there, not in SSSD. It is reproducible in other 
>>environments as well, see, f.e. 
>>https://bugzilla.redhat.com/show_bug.cgi?id=1415167
>>
>Sorry you are wrong.
>This is a different bug.
>https://bugzilla.redhat.com/show_bug.cgi?id=1412717
>which is unfortunatelly private.
>
I thought a little bit and I am not sure which bug is this case.
What do "sestatus" inside container?

LS

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project