Bug 870053
| Summary: | Default SELinuxusermaporder needs to mapped with default selinux users list | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kaleem <ksiddiqu> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.4 | CC: | dpal, mkosek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-3.0.0-8.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-02-21 09:29:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 2
Dmitri Pal
2012-10-29 23:27:21 UTC
Fixed upstream. Only user_u was changed. master: 7c2eb48850de6eae7cce521053586a5d48c3d12e ipa-3-0: 56beef9f775a28973106d074b191c48ab99d179d Verified. ipa-server version: ================== [root@rhel64master ~]# rpm -qa|grep ipa-* ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-24.el6.x86_64 ipa-server-selinux-3.0.0-24.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 ipa-client-3.0.0-24.el6.x86_64 ipa-server-3.0.0-24.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-82.el6.x86_64 ipa-admintools-3.0.0-24.el6.x86_64 [root@rhel64master ~]# (1)Default config shows user_u:s0 now. [root@rhel64master ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@rhel64master ~]# ipa selinuxusermap-show selinuxusermap1 --all dn: ipaUniqueID=b86c526e-6ae9-11e2-86a0-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com Rule name: selinuxusermap1 SELinux User: user_u:s0 HBAC Rule: rule1 Enabled: TRUE ipauniqueid: b86c526e-6ae9-11e2-86a0-5254005d451f objectclass: ipaassociation, ipaselinuxusermap [root@rhel64master ~]# ssh -l user1 rhel64master.testrelm.com id -Z user_u:user_r:user_t:s0 [root@rhel64master ~]# Beaker log: ========== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-selinuxusermapsvc-004-2: user1 associated with different selinuxusermap to access kvm-guest-05.testrelm.com - delete selinuxusermap2 from the prev test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin Password for admin: Authenticated to Kerberos v5 Default principal: admin :: [01:41:33] :: kinit as admin with password XXXXXXX was successful. :: [ PASS ] :: Kinit as admin user ---------------------------------------------- Deleted SELinux User Map "selinuxusermaprule2" ---------------------------------------------- :: [ PASS ] :: Running 'ipa selinuxusermap-del selinuxusermaprule2' :: [ PASS ] :: Running 'rlDistroDiff keyctl' spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1 Password for user1: Authenticated to Kerberos v5 Default principal: user1 :: [01:41:36] :: kinit as user1 with password xxxxxxxxx was successful. :: [ PASS ] :: Kinit as user1 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to kvm-guest-05.testrelm.com has selinux policy user_u:s0 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to kvm-guest-05.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy user_u:s0 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com has selinux policy user_u:s0 :: [ PASS ] :: Running 'rlDistroDiff keyctl' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html |