[Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.
Alexander Bokovoy
abokovoy at redhat.com
Mon Nov 28 17:10:35 UTC 2011
On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
> On Wed, 23 Nov 2011, Rob Crittenden wrote:
> > This will allow one to define what SELinux context a given user gets
> > on a given machine. A rule can contain a set of users and hosts or it
> > can point to an existing HBAC rule that defines them.
> >
> > https://fedorahosted.org/freeipa/ticket/755
> I read through the patch, will need to test it later this week. I
> basically have two minor points:
>
> 1. Split charachter in the SE Linux user map order.
> > +
> > + Define SELinux user map order:
> > + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
> > """)
> $ can be considered 'active' character in all shells in a sense it
> changes treatment of following characters from the shell perspective
> and therefore will always require shielding from the shell's
> influence. This increases likelyhood of error from a user side.
>
> Maybe / would be more neutral character?
>
> As you said on IRC, people might have religious feeling about
> separators but tricking users into always thinking about
> escaping/single quoting is equally bad.
>
> 2. We have two possible ways to address named properties in MagicDict
> and NameSpace objects -- through explicit attribute use and through
> the dictionary key. I guess for the cases when we know the attribute
> name in advance, it would perhaps be preferrable to use the former
> style:
>
> > + def pre_callback(self, ldap, dn, *keys, **options):
> > + kw = dict(seealso=dn)
> > + _entries = api.Command['selinuxusermap_find'](None, **kw)
> this would be
> _entries = api.Command.selinuxusermap_find(None, **kw)
>
> Other than those two minor points, the patch looks very good. I'm
> going to give it a run on Friday.
I tested the patch and it works for me on a new install. On upgrade of
existing installation I've got few errors during run of
ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't
save the log as it was 2.1 -> 2.99 upgrade as well.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list