[Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 23 23:00:48 UTC 2011
Hi Rob,
On Wed, 23 Nov 2011, Rob Crittenden wrote:
> This will allow one to define what SELinux context a given user gets
> on a given machine. A rule can contain a set of users and hosts or it
> can point to an existing HBAC rule that defines them.
>
> https://fedorahosted.org/freeipa/ticket/755
I read through the patch, will need to test it later this week. I
basically have two minor points:
1. Split charachter in the SE Linux user map order.
> +
> + Define SELinux user map order:
> + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
> """)
$ can be considered 'active' character in all shells in a sense it
changes treatment of following characters from the shell perspective
and therefore will always require shielding from the shell's
influence. This increases likelyhood of error from a user side.
Maybe / would be more neutral character?
As you said on IRC, people might have religious feeling about
separators but tricking users into always thinking about
escaping/single quoting is equally bad.
2. We have two possible ways to address named properties in MagicDict
and NameSpace objects -- through explicit attribute use and through
the dictionary key. I guess for the cases when we know the attribute
name in advance, it would perhaps be preferrable to use the former
style:
> + def pre_callback(self, ldap, dn, *keys, **options):
> + kw = dict(seealso=dn)
> + _entries = api.Command['selinuxusermap_find'](None, **kw)
this would be
_entries = api.Command.selinuxusermap_find(None, **kw)
Other than those two minor points, the patch looks very good. I'm
going to give it a run on Friday.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list