Following selinuxusermap-mod operation #2 allows selinuxuser not in list 'ipa config-show | grep "SELinux user map order"' to be linked to selinuxusermap. It throws an error message for a selinuxusermap-add operation as shown in #1. There is inconsistency in #1 and #2 behaviour.
1. [root@ipaqavme ipa-selinuxusermap-cli]# ipa selinuxusermap-add --selinuxuser=deny test3 ipa: ERROR: SELinux user deny not found in ordering list (in config) 2.[root@ipaqavme ipa-selinuxusermap-cli]# ipa selinuxusermap-add --selinuxuser=guest_u:s0 test4 ------------------------------ Added SELinux User Map "test4" ------------------------------ Rule name: test4 SELinux User: guest_u:s0 Enabled: TRUE [root@ipaqavme ipa-selinuxusermap-cli]# ipa selinuxusermap-mod --setattr=ipaselinuxuser=deny test4 --------------------------------- Modified SELinux User Map "test4" --------------------------------- Rule name: test4 SELinux User: deny Enabled: TRUE
In addition, deny is not a valid selinux user. The guys in #selinux say that MLS and MCS are both required.
attachment freeipa-rcrit-1045-selinux.patch
master: b5d0a9f
Metadata Update from @aakkiang: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 3.0 Beta 2
Login to comment on this ticket.