Red Hat Bugzilla – Bug 870053
Default SELinuxusermaporder needs to mapped with default selinux users list
Last modified: 2013-02-21 04:29:21 EST
Upstream ticket: https://fedorahosted.org/freeipa/ticket/3224
Fixed upstream. Only user_u was changed. master: 7c2eb48850de6eae7cce521053586a5d48c3d12e ipa-3-0: 56beef9f775a28973106d074b191c48ab99d179d
Verified. ipa-server version: ================== [root@rhel64master ~]# rpm -qa|grep ipa-* ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-python-3.0.0-24.el6.x86_64 ipa-server-selinux-3.0.0-24.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch libipa_hbac-python-1.9.2-82.el6.x86_64 ipa-client-3.0.0-24.el6.x86_64 ipa-server-3.0.0-24.el6.x86_64 python-iniparse-0.3.1-2.1.el6.noarch libipa_hbac-1.9.2-82.el6.x86_64 ipa-admintools-3.0.0-24.el6.x86_64 [root@rhel64master ~]# (1)Default config shows user_u:s0 now. [root@rhel64master ~]# ipa config-show Maximum username length: 32 Home directory base: /home Default shell: /bin/sh Default users group: ipausers Default e-mail domain: testrelm.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=TESTRELM.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC [root@rhel64master ~]# ipa selinuxusermap-show selinuxusermap1 --all dn: ipaUniqueID=b86c526e-6ae9-11e2-86a0-5254005d451f,cn=usermap,cn=selinux,dc=testrelm,dc=com Rule name: selinuxusermap1 SELinux User: user_u:s0 HBAC Rule: rule1 Enabled: TRUE ipauniqueid: b86c526e-6ae9-11e2-86a0-5254005d451f objectclass: ipaassociation, ipaselinuxusermap [root@rhel64master ~]# ssh -l user1 rhel64master.testrelm.com id -Z user_u:user_r:user_t:s0 [root@rhel64master ~]# Beaker log: ========== :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-selinuxusermapsvc-004-2: user1 associated with different selinuxusermap to access kvm-guest-05.testrelm.com - delete selinuxusermap2 from the prev test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: spawn /usr/bin/kinit -V admin Using default cache: /tmp/krb5cc_0 Using principal: admin@TESTRELM.COM Password for admin@TESTRELM.COM: Authenticated to Kerberos v5 Default principal: admin@TESTRELM.COM :: [01:41:33] :: kinit as admin with password XXXXXXX was successful. :: [ PASS ] :: Kinit as admin user ---------------------------------------------- Deleted SELinux User Map "selinuxusermaprule2" ---------------------------------------------- :: [ PASS ] :: Running 'ipa selinuxusermap-del selinuxusermaprule2' :: [ PASS ] :: Running 'rlDistroDiff keyctl' spawn /usr/bin/kinit -V user1 Using default cache: /tmp/krb5cc_0 Using principal: user1@TESTRELM.COM Password for user1@TESTRELM.COM: Authenticated to Kerberos v5 Default principal: user1@TESTRELM.COM :: [01:41:36] :: kinit as user1 with password xxxxxxxxx was successful. :: [ PASS ] :: Kinit as user1 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to kvm-guest-05.testrelm.com has selinux policy user_u:s0 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to kvm-guest-05.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to hp-bl460c-02.testrelm.com does not have selinux policy user_u:s0 :: [ PASS ] :: Authentication failed for user1, with selinuxuser staff_u:.*s0-s0:c0.c1023 as expected :: [ PASS ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com does not have selinux policy staff_u:s0-s0:c0.c1023 user_u:user_r:user_t:s0 :: [ PASS ] :: Authentication successful for user1, with selinuxuser user_u:.*s0 as expected :: [ PASS ] :: Authentication of user1 to hp-bl495cg5-02.testrelm.com has selinux policy user_u:s0 :: [ PASS ] :: Running 'rlDistroDiff keyctl'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0528.html