Re: [Freeipa-users] IPA clashing with selinux on users home directories

2012-03-08 Thread Stephen Gallagher
On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote:
 Hi,
 
 I am setting up some IPA users what I have noticed is if I or they type
 startx to start a gui locking the .Xauthority fails, if I setenforce 0
 then it works fine.I have never seen this behaviour before and
 googling suggests its an IPA and selinux conflict.
 
 and in fact when I create a local user they get an instant gui from
 running startx...
 

I'm guessing you're creating your home directories with the help of
pam_mkhomedir.so. This won't work with SELinux. You need to install and
use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux
contexts for your users.


signature.asc
Description: This is a digitally signed message part
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] IPA clashing with selinux on users home directories

2012-03-08 Thread Simo Sorce
On Thu, 2012-03-08 at 21:27 +, Steven Jones wrote:
 Hi,
 
 I used ipa-client-install --mkhomedir
 
 How do I change that so it will do so properly?
 
 regards
 
 Steven Jones
 
 Technical Specialist - Linux RHCE
 
 Victoria University, Wellington, NZ
 
 0064 4 463 6272
 
 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Stephen Gallagher [sgall...@redhat.com]
 Sent: Friday, 9 March 2012 9:43 a.m.
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] IPA clashing with selinux on users home 
 directories
 
 On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote:
  Hi,
 
  I am setting up some IPA users what I have noticed is if I or they type
  startx to start a gui locking the .Xauthority fails, if I setenforce 0
  then it works fine.I have never seen this behaviour before and
  googling suggests its an IPA and selinux conflict.
 
  and in fact when I create a local user they get an instant gui from
  running startx...
 
 
 I'm guessing you're creating your home directories with the help of
 pam_mkhomedir.so. This won't work with SELinux. You need to install and
 use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux
 contexts for your users.

If you install oddjob_homedir before running ipa-client-install then it
should pick that up automatically.

We already have a patch upstream to require oddjob-mkhomedir at rpm
install.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] IPA clashing with selinux on users home directories

2012-03-08 Thread Steven Jones
Thanks, I can put that in Sat.

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272


From: Simo Sorce [s...@redhat.com]
Sent: Friday, 9 March 2012 10:35 a.m.
To: Steven Jones
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] IPA clashing with selinux on users home directories

On Thu, 2012-03-08 at 21:27 +, Steven Jones wrote:
 Hi,

 I used ipa-client-install --mkhomedir

 How do I change that so it will do so properly?

 regards

 Steven Jones

 Technical Specialist - Linux RHCE

 Victoria University, Wellington, NZ

 0064 4 463 6272

 
 From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on 
 behalf of Stephen Gallagher [sgall...@redhat.com]
 Sent: Friday, 9 March 2012 9:43 a.m.
 To: freeipa-users@redhat.com
 Subject: Re: [Freeipa-users] IPA clashing with selinux on users home 
 directories

 On Thu, 2012-03-08 at 20:14 +, Steven Jones wrote:
  Hi,
 
  I am setting up some IPA users what I have noticed is if I or they type
  startx to start a gui locking the .Xauthority fails, if I setenforce 0
  then it works fine.I have never seen this behaviour before and
  googling suggests its an IPA and selinux conflict.
 
  and in fact when I create a local user they get an instant gui from
  running startx...
 

 I'm guessing you're creating your home directories with the help of
 pam_mkhomedir.so. This won't work with SELinux. You need to install and
 use pam_oddjob_mkhomedir.so instead, which will properly set up SELinux
 contexts for your users.

If you install oddjob_homedir before running ipa-client-install then it
should pick that up automatically.

We already have a patch upstream to require oddjob-mkhomedir at rpm
install.

Simo.

--
Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users