https://bugzilla.redhat.com/show_bug.cgi?id=870053 (Red Hat Enterprise Linux 6)
Description of problem: i was expecting output of "ssh -l user host id -Z" to be "user_u:user_r:user_t:s0-s0:c0.c1023" but following is returned only user_u:user_r:user_t:s0 Version-Release number of selected component (if applicable): [root@rhel64master ~]# rpm -qa|grep ipa-*|sort ipa-admintools-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 ipa-client-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 ipa-pki-ca-theme-9.0.3-7.20121022T2247z.el6.noarch ipa-pki-common-theme-9.0.3-7.20121022T2247z.el6.noarch ipa-python-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 ipa-server-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 ipa-server-selinux-3.0.0-105.20121022T2338zgit3488770.el6.x86_64 libipa_hbac-1.9.90-0.20121022T2317zgit66318df.el6.x86_64 libipa_hbac-python-1.9.90-0.20121022T2317zgit66318df.el6.x86_64 [root@rhel64master ~]# How reproducible: Always Steps to Reproduce: 1.Add a selinuxusermap rule for user_u [root@rhel64master ~]# ipa selinuxusermap-show selinuxusermap1 --all dn: ipaUniqueID=217bad58-1d07-11e2-b007-5254005d451f,cn=usermap,cn=selinux,dc =testrelm,dc=com Rule name: selinuxusermap1 SELinux User: user_u:s0-s0:c0.c1023 HBAC Rule: rule1 Enabled: TRUE ipauniqueid: 217bad58-1d07-11e2-b007-5254005d451f objectclass: ipaassociation, ipaselinuxusermap [root@rhel64master ~]# 2.Run following command to get selinux context assigned [root@rhel64master ~]# ssh -l user1 rhel64master.testrelm.com id -Z user_u:user_r:user_t:s0 [root@rhel64master ~]# 3.Here i see selinux context "user_u:user_r:user_t:s0" but i was expecting "user_u:user_r:user_t:s0-s0:c0.c1023" because default selinuxusermaporder has it in the ordering. [root@rhel64master ~]# ipa config-show|grep order SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u: s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 [root@rhel64master ~]# 4.This (user_u:user_r:user_t:s0) we are getting because of conflict with default selinux user list on target system. [root@rhel64master ~]# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles git_shell_u user s0 s0 git_shell_r guest_u user s0 s0 guest_r root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r sysadm_u user s0 s0-s0:c0.c1023 sysadm_r system_u user s0 s0-s0:c0.c1023 system_r unconfined_r unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r user_u user s0 s0 user_r xguest_u user s0 s0 xguest_r [root@rhel64master ~]# Expected result: Default selinuxusermaporder needs to be mapped with default selinux user list.
attachment freeipa-rcrit-1070-selinux.patch
Only user_u needed to be changed.
master: 7c2eb48
ipa-3-0: 56beef9
Metadata Update from @dpal: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0.1 (bug fixing)
Login to comment on this ticket.