Hi everybody,

At now, I enroll diskless Fedora26 workstations (with stateless Linux) into my IPA domain.
        Inside the readonly root image, /etc/sysconfig/selinux points :

SELINUX=disabled
SELINUXTYPE=targeted

and /etc/sssd/sssd.conf points :

[domain/math]
selinux_provider = none
debug_level=0x0070
...

So, authentication of a domain account seems well working, but nevertheless at each time, journalctl says :

juil. 21 16:11:32 pc-f26.math systemd-coredump[22019]:
Process 22017 (selinux_child) of user 0 dumped core.

Stack trace of thread 22017:
#0  0x00007f60bac8dd24 semanage_seuser_key_free (libsemanage.so.1)
#1  0x00005639b0b5326d set_seuser (selinux_child)
#2  0x00005639b0b52a3f main (selinux_child)
#3  0x00007f60ba8b94da __libc_start_main (libc.so.6)
#4  0x00005639b0b52dba _start (selinux_child)

Hope this helps...
Jacquelin

Le 14/10/2016 à 10:02, Jakub Hrozek a écrit :
On Fri, Oct 14, 2016 at 09:44:11AM +0200, Sumit Bose wrote:
On Fri, Oct 14, 2016 at 12:41:23AM +0200, Jacquelin Charbonnel wrote:
        Thank you for this information. Yes, /tmp is writable.

        My problem is : access are sometimes definitively refused for random 
user
who wants to log in diskless workstations.
        But if this banned user tries to connect to the single machine which 
mounts
the fs in rw mode, it's work, and this solve immediately its problem on all
the other stateless machines !? Strange...

Maybe it is the selinux_provider, iirc at least in older version it used
to write some data somewhere below /etc/selinux/. You can easily test
this by setting 'selinux_provider = none' in the domain section in
ssd.conf.

Aah, that's probably it. We no longer write to the directory directly,
but we call libsemanage functions that do.


--
Jacquelin Charbonnel - (+33)2 4173 5397
CNRS Mathrice/LAREMA - Campus universitaire d'Angers
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to