On 01/09/13 00:02, Martin Kosek wrote:
> On 01/08/2013 11:20 PM, Erinn Looney-Triggs wrote:
>> On 01/08/13 12:45, Rob Crittenden wrote:
>>> Erinn Looney-Triggs wrote:
>>>> On 01/08/13 11:44, Rob Crittenden wrote:
>>>>> Simo Sorce wrote:
>>>>>> On Tue, 2013-01-08 at 19:31 +0000, Steven Jones wrote:
>>>>>>> HI,
>>>>>>> I assume RHEL 6.4 is GA shortly just how straigh forward is the 
>>>>>>> upgrade from one IPA version to another please? regards
>>>>>> Should just require an rpm upgrade and a restart and nothing
>>>>>> else.
>>>>>> Simo.
>>>>> If you have multiple servers you'll want to upgrade them one at a
>>>>> time in a short period (days, not weeks).
>>>>> rob
>>>>> _______________________________________________ Freeipa-users
>>>>> mailing list Freeipa-users@redhat.com 
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Is this the release where SELinux mapping in IPA actually starts
>>>> working?
>>>> If so that is definitely something to watch out for (I realize this
>>>> is more of an SSSD thing, but still). If you aren't careful and you
>>>> have your users mapped to something like guest_u, well the upgrade can
>>>> be very inconvenient for them.
>>> I believe this was fixed.
>>> rob
>> Ok I am just going off of this: 
>> https://bugzilla.redhat.com/show_bug.cgi?id=887193 which makes it appear 
>> like it will be documented but there isn't much you can do about the 
>> default being set to guest_u.
>> However, if it is fixed that is great news.
>> -Erinn
> Hello Erinn,
> Just to make things clear, it is "fixed" by means that it is documented and
> the new default SELinux user is unconfined_u:s0-s0:c0.c1023. But this only
> applies for new IPA server installations. As for the upgraded installs, you
> want to check default SELinux user to ensure that it is set to a value that
> you want (probably unconfined_u:s0-s0:c0.c1023).
> We could not forcefully change it from guest_u to unconfined_u:s0-s0:c0.c1023
> in the upgrade process as we cannot know if some user does not have it set to
> guest_u on purpose.
> Thanks for understanding,
> Martin

Yep I understood all that and the reasoning behind it. The only thing I
was trying to say was that while documenting it in the release notes is
a nice and necessary step, if there are other channels to let folks know
about this, like say an e-mail list, it might be worthwhile as well.
This is just a suggestion.

Not all folks read the release notes, which of course they all should,
and this change can lead to some rather surprising results for those of
us who ended up with guest_u by default.

As I said I just got lucky in some ways by running Fedora 18 against my
IPA servers I was able to only cause issues for myself.


Attachment: signature.asc
Description: OpenPGP digital signature

Freeipa-users mailing list

Reply via email to