On Wed, 2022-03-16 at 12:20 +0100, Alexey Tikhonov wrote: > > Did you tune any default selinux policies?
No. > You might want to consider: > - changing the order to: 'files sss ...' But since all of my users are in FreeIPA, won't files more or less be a noop and sss will always still be consulted? > and > - setting `enable_files_domain = false` (see `man sssd.conf` for > details) > Does `getent passwd $your_ipa_use` work for you? Yes. To be clear here, I am not saying sssd is not working. I am saying that a shell script being executed from a given (non-regular-user) domain is raising AVCs and I just want to know what the particular accesses it's requesting are actually needed or not. > Most probably those are lookups (`getpwnam()`, etc) of local users. > When SSSD fails to serve this lookup, it's being served by next > source in > your nsswitch.conf (i.e. 'files') But the entry for regular users won't exist there. So what could break then? Cheers, b.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
