Learn more about these different git repos.
Other Git URLs
OS: Fedora 17 Selinux_policy: selinux-policy-3.10.0-146.fc17.noarch
[root@ipaqavmb ~]# ssh -l testuser1 ipaqavma.testrelm.com id -Z testuser1@ipaqavma.testrelm.com's password: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 [root@ipaqavmb ~]# ipa selinuxusermap-add selinuxusermaprule1 --selinuxuser=staff_u:s0-s0:c0.c1023 -------------------------------------------- Added SELinux User Map "selinuxusermaprule1" -------------------------------------------- Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE [root@ipaqavmb ~]# ipa selinuxusermap-add-user selinuxusermaprule1 --users=testuser1 Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: testuser1 ------------------------- Number of members added 1 ------------------------- [root@ipaqavmb ~]# ipa selinuxusermap-add-host selinuxusermaprule1 --hosts=ipaqavma.testrelm.com Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: testuser1 Hosts: ipaqavma.testrelm.com ------------------------- Number of members added 1 ------------------------- [root@ipaqavmb ~]# ipa selinuxusermap-show selinuxusermaprule1 --all dn: ipaUniqueID=a1c6d5ac-f14a-11e1-9948-021016980179,cn=usermap,cn=selinux,dc=testrelm,dc=com Rule name: selinuxusermaprule1 SELinux User: staff_u:s0-s0:c0.c1023 Enabled: TRUE Users: testuser1 Hosts: ipaqavma.testrelm.com ipauniqueid: a1c6d5ac-f14a-11e1-9948-021016980179 objectclass: ipaassociation, ipaselinuxusermap [root@ipaqavmb ~]# kinit testuser1 Password for testuser1@TESTRELM.COM: [root@ipaqavmb ~]# ssh -l testuser1 ipaqavma.testrelm.com id -Z Connection closed by UNKNOWN Following AVC denied log message in the client machine: Thu Aug 30 17:17:22 2012 type=SYSCALL msg=audit(1346361442.421:1188): arch=c000003e syscall=2 success=no exit=-13 a0=1cb12f0 a1=c2 a2=180 a3=6e99cc7fed7 items=0 ppid=29960 pid=29964 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sssd_pam" exe="/usr/libexec/sssd/sssd_pam" subj=system_u:system_r:sssd_t:s0 key=(null) type=AVC msg=audit(1346361442.421:1188): avc: denied { write } for pid=29964 comm="sssd_pam" name="logins" dev="dm-1" ino=2362329 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
Expected result: ssh to a ipa client machine with selinuxusermap should be successful.
I replied to Asha offlist. The short version is that this is not a problem in the SSSD but either a configuration issue or a bug of selinux-policy-targeted.
resolution: => invalid status: new => closed
Metadata Update from @aakkiang: - Issue set to the milestone: NEEDS_TRIAGE
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2544
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.