On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote: > On 01/08/13 12:45, Rob Crittenden wrote: >> Erinn Looney-Triggs wrote: >>> On 01/08/13 11:44, Rob Crittenden wrote: >>>> Simo Sorce wrote: >>>>> On Tue, 2013-01-08 at 19:31 +0000, Steven Jones wrote: >>>>>> HI, >>>>>> >>>>>> I assume RHEL 6.4 is GA shortly just how straigh forward is the >>>>>> upgrade from one IPA version to another please? regards >>>>> >>>>> Should just require an rpm upgrade and a restart and nothing >>>>> else. >>>>> >>>>> Simo. >>>>> >>>> >>>> If you have multiple servers you'll want to upgrade them one at a >>>> time in a short period (days, not weeks). >>>> >>>> rob >>>> >>>> _______________________________________________ Freeipa-users >>>> mailing list [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >>> Is this the release where SELinux mapping in IPA actually starts >>> working? >>> >>> If so that is definitely something to watch out for (I realize this >>> is more of an SSSD thing, but still). If you aren't careful and you >>> have your users mapped to something like guest_u, well the upgrade can >>> be very inconvenient for them. >> >> I believe this was fixed. >> >> rob > > Ok I am just going off of this: > https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear > like it will be documented but there isn't much you can do about the > default being set to guest_u. > > However, if it is fixed that is great news. > > -Erinn
Hello Erinn, Just to make things clear, it is "fixed" by means that it is documented and the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only applies for new IPA server installations. As for the upgraded installs, you want to check default SELinux user to ensure that it is set to a value that you want (probably unconfined_u:s0-s0:c0.c1023). We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023 in the upgrade process as we cannot know if some user does not have it set to guest_u on purpose. Thanks for understanding, Martin _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
