Red Hat Bugzilla – Bug 887193
SSSD allows SELinux context for user to be set, however SELinux tools are not updated to reflect this.
Last modified: 2013-11-20 10:09:25 EST
+++ This bug was initially created as a clone of Bug #876363 +++ We spent some good time this morning trying to chase down why my user in Fedora was a guest_u. It turns out this was a combination of IPA and SSSD working as they ought to. However, it was very unclear while trying to debug this that this was the case. Tools like: selinuxdefcon semanage login -l Did not reflect the reality of the situation as they are all presumably based off of the config present in the filesystem. You can get a nice overview of what we went through here: http://lists.fedoraproject.org/pipermail/selinux/2012-November/014925.html Read the whole thread, you will see what we worked through. -Erinn --- Additional comment from Daniel Walsh on 2012-11-14 14:50:40 EST --- Fixed in policycoreutils-2.1.13-33 --- Additional comment from Fedora Update System on 2012-11-14 14:51:08 EST --- policycoreutils-2.1.13-33.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/policycoreutils-2.1.13-33.fc18 --- Additional comment from Fedora Update System on 2012-11-15 01:29:35 EST --- Package policycoreutils-2.1.13-33.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.13-33.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18259/policycoreutils-2.1.13-33.fc18 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2012-11-16 21:25:45 EST --- Package policycoreutils-2.1.13-34.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.1.13-34.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-18259/policycoreutils-2.1.13-34.fc18 then log in and leave karma (feedback). --- Additional comment from Fedora Update System on 2012-11-23 02:54:59 EST --- policycoreutils-2.1.13-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Hi, the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd client and selinux. User cannot login, gdm says "unable to open session" when trying. oddjob created homedir. This is what I see in /var/log/secure: Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth): authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=username Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth): authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= user=username Dec 14 12:03:10 hostname pam: gdm-password: pam_selinux(gdm-password:session): Error! Unable to set username key creation context guest_u:guest_r:oddjob_mkhomedir_t:s0. sssd-1.9.2-24.el6.x86_64
(In reply to comment #2) > Hi, > > the same problem seems to exist with rhel 6.3 ipa server, rhel 6.4beta sssd > client and selinux. User cannot login, gdm says "unable to open session" > when trying. oddjob created homedir. > > This is what I see in /var/log/secure: > > Dec 14 12:03:10 hostname pam: gdm-password: pam_unix(gdm-password:auth): > authentication failure; logname= uid=0 euid=0 tty=:1 ruser= rhost= > user=username > Dec 14 12:03:10 hostname pam: gdm-password: pam_sss(gdm-password:auth): > authentication success; logname= uid=0 euid=0 tty=:1 ruser= rhost= > user=username > Dec 14 12:03:10 hostname pam: gdm-password: > pam_selinux(gdm-password:session): Error! Unable to set username key > creation context guest_u:guest_r:oddjob_mkhomedir_t:s0. > > sssd-1.9.2-24.el6.x86_64 Well, this should be fixed in IPA to change guest_u to another SELinux user. AFAIK it has been fixed in Fedora.
The IPA server should default to unconfined_u in 6.4, IIRC. Not completely sure about earlier releases. What default SELinux user does "ipa config-show" print?
IPA server defaults to unconfined_u:s0-s0:c0.c1023 in RHEL 6.4, this is OK. However, it unfortunately defaults to guest_u:s0 in RHEL 6.3 which makes RHEL 6.4 clients use that value. A quickfix for this issue is to modify the config default with: ipa config-mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 But we will need to fix IPA in RHEL-6.3 and change the default to "unconfined_u:s0-s0:c0.c1023", either by z-stream or at least a release note. Adding also Rob to the CC list.
Of course the trick part is how to differentiate between a setup that simply had guest_u set up as our default and setup that needs guest_u as default. Although I really doubt there is such setup since the client side never worked in 6.3.
(In reply to comment #6) > Of course the trick part is how to differentiate between a setup that simply > had guest_u set up as our default and setup that needs guest_u as default. > Although I really doubt there is such setup since the client side never > worked in 6.3. I just verified that client can log in via console or SSH. However, gdm login does not work and produce the described error. I will reassign to IPA, we will produce a Release Note.
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux.
Workaround is at https://access.redhat.com/knowledge/docs/en-US/Red_Hat_Enterprise_Linux/6/html/6.4_Technical_Notes/authentication_issues.html
*** Bug 1016638 has been marked as a duplicate of this bug. ***
*** Bug 1027302 has been marked as a duplicate of this bug. ***