pangolin-cli cannot connect with sssd users #27
Description
Describe the Bug
pangolin up with an sssd user on a linux system will not get past the starting phase.
pangolin up
[sudo] password for user:
Starting up client...
Status: Starting
If I switch to a local users I can connect just fine.
some relevant logs (redacted some info)
Feb 14 16:00:18 minisv3 sssd[54573]: exec_child_ex command: [/usr/libexec/sssd/selinux_child] /usr/libexec/sssd/selinux_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-fd=24 --chain-id=303 --backtrace=1 --debug-level=0x2f7f0
Feb 14 16:00:18 minisv3 sudo[54480]: user : TTY=pts/3 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/sh -c 'export PANGOLIN_SUBPROCESS=1 && export PANGOLIN_CREDENTIALS_FROM_KEYRING=1 && nohup "/usr/local/bin/pangolin" "up" "client" "--org" "removed" "--id" "removed" "--secret" "removed" "--endpoint" "removed" >/dev/null 2>&1 &'
(2026-02-14 16:00:18): [selinux_child[54573]] [sss_log_process_caps] (0x0100): [RID#303] Starting under ruid=467, euid=467, suid=467 : rgid=467, egid=467, sgid=467
(2026-02-14 16:00:18): [selinux_child[54573]] [sss_log_process_caps] (0x0100): [RID#303] With following capabilities:
CAP_SETGID: effective = 0 , permitted = *1*, inheritable = 0 , bounding = *1*
CAP_SETUID: effective = 0 , permitted = *1*, inheritable = 0 , bounding = *1*
(2026-02-14 16:00:18): [selinux_child[54573]] [main] (0x0400): [RID#303] context initialized
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] seuser length: 12
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] seuser: unconfined_u
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] mls_range length: 14
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] mls_range: s0-s0:c0.c1023
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] username length: 6
(2026-02-14 16:00:18): [selinux_child[54573]] [unpack_buffer] (0x2000): [RID#303] username: user
(2026-02-14 16:00:18): [selinux_child[54573]] [sss_log_process_caps] (0x0100): [RID#303] Performing selinux operations under ruid=0, euid=0, suid=467 : rgid=0, egid=0, sgid=467
(2026-02-14 16:00:18): [selinux_child[54573]] [sss_log_process_caps] (0x0100): [RID#303] With following capabilities:
(nothing)
(2026-02-14 16:00:18): [selinux_child[54573]] [seuser_needs_update] (0x2000): [RID#303] sss_get_seuser: ret: 0 seuser: unconfined_u mls: s0-s0:c0.c1023
(2026-02-14 16:00:18): [selinux_child[54573]] [sss_seuser_exists] (0x0400): [RID#303] seuser exists: yes
(2026-02-14 16:00:18): [selinux_child[54573]] [seuser_needs_update] (0x0400): [RID#303] The SELinux user does not need an update
(2026-02-14 16:00:18): [selinux_child[54573]] [main] (0x0400): [RID#303] selinux_child completed successfully
Environment
- OS: openSUSE MicroOS 20260212
- Pangolin Version: 1.15.4
- Gerbil Version: 1.3
- Traefik Version: 3.6
- SELinux: enforcing
- SSSD: 2.12
- IPA, version: 4.12.2
To Reproduce
- Login as SSSD user on linux
- pangolin up
Expected Behavior
pangolin up shoud start the connection