IPA user login based on selinux user mapping is failing with error "seuser mapping [tuser -> (user_u, s2)] is invalid"

Solution Verified - Updated -

Issue

  • IPA user login based on selinux user mapping is failing with error.
  • File /var/log/secure
Aug 19 20:14:12 localhost sshd[28038]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=tuser
Aug 19 20:14:16 localhost sshd[28038]: pam_sss(sshd:account): Access denied for user tuser: 4 (System error)
Aug 19 20:14:16 localhost sshd[28034]: error: PAM: User account has expired for tuser from ::1
Aug 19 20:14:16 localhost sshd[28034]: fatal: monitor_read: unpermitted request 104
  • File /var/log/sssd/selinux_child.log
(2025-08-19 20:14:15): [selinux_child[28042]] [main] (0x0400): [RID#14] selinux_child started.
(2025-08-19 20:14:15): [selinux_child[28042]] [main] (0x2000): [RID#14] Running with effective IDs: [0][0].
(2025-08-19 20:14:15): [selinux_child[28042]] [main] (0x2000): [RID#14] Running with real IDs [0][0].
(2025-08-19 20:14:15): [selinux_child[28042]] [main] (0x0400): [RID#14] context initialized
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] seuser length: 6
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] seuser: user_u
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] mls_range length: 2
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] mls_range: s2
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] username length: 5
(2025-08-19 20:14:15): [selinux_child[28042]] [unpack_buffer] (0x2000): [RID#14] username: tuser
(2025-08-19 20:14:15): [selinux_child[28042]] [main] (0x0400): [RID#14] performing selinux operations
(2025-08-19 20:14:15): [selinux_child[28042]] [seuser_needs_update] (0x2000): [RID#14] sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(2025-08-19 20:14:15): [selinux_child[28042]] [seuser_needs_update] (0x0400): [RID#14] The SELinux user does need an update
(2025-08-19 20:14:16): [selinux_child[28042]] [libsemanage] (0x0020): [RID#14] invalid MLS context s2
(2025-08-19 20:14:16): [selinux_child[28042]] [libsemanage] (0x0020): [RID#14] could not construct mls context structure
(2025-08-19 20:14:16): [selinux_child[28042]] [libsemanage] (0x0020): [RID#14] seuser mapping [tuser -> (user_u, s2)] is invalid
(2025-08-19 20:14:16): [selinux_child[28042]] [libsemanage] (0x0020): [RID#14] could not iterate over records
(2025-08-19 20:14:16): [selinux_child[28042]] [sss_set_seuser] (0x0020): [RID#14] Cannot commit SELinux transaction
(2025-08-19 20:14:16): [selinux_child[28042]] [main] (0x0020): [RID#14] Cannot set SELinux login context.
(2025-08-19 20:14:16): [selinux_child[28042]] [main] (0x0020): [RID#14] selinux_child failed!

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • IPA 4.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content