[Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.
Rob Crittenden
rcritten at redhat.com
Tue Nov 29 22:45:57 UTC 2011
Alexander Bokovoy wrote:
> On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
>> On Wed, 23 Nov 2011, Rob Crittenden wrote:
>>> This will allow one to define what SELinux context a given user gets
>>> on a given machine. A rule can contain a set of users and hosts or it
>>> can point to an existing HBAC rule that defines them.
>>>
>>> https://fedorahosted.org/freeipa/ticket/755
>> I read through the patch, will need to test it later this week. I
>> basically have two minor points:
>>
>> 1. Split charachter in the SE Linux user map order.
>>> +
>>> + Define SELinux user map order:
>>> + ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
>>> """)
>> $ can be considered 'active' character in all shells in a sense it
>> changes treatment of following characters from the shell perspective
>> and therefore will always require shielding from the shell's
>> influence. This increases likelyhood of error from a user side.
>>
>> Maybe / would be more neutral character?
>>
>> As you said on IRC, people might have religious feeling about
>> separators but tricking users into always thinking about
>> escaping/single quoting is equally bad.
>>
>> 2. We have two possible ways to address named properties in MagicDict
>> and NameSpace objects -- through explicit attribute use and through
>> the dictionary key. I guess for the cases when we know the attribute
>> name in advance, it would perhaps be preferrable to use the former
>> style:
>>
>>> + def pre_callback(self, ldap, dn, *keys, **options):
>>> + kw = dict(seealso=dn)
>>> + _entries = api.Command['selinuxusermap_find'](None, **kw)
>> this would be
>> _entries = api.Command.selinuxusermap_find(None, **kw)
>>
>> Other than those two minor points, the patch looks very good. I'm
>> going to give it a run on Friday.
> I tested the patch and it works for me on a new install. On upgrade of
> existing installation I've got few errors during run of
> ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't
> save the log as it was 2.1 -> 2.99 upgrade as well.
>
It turns out that other characters are just as troublesome and require
escaping (space and \). I"m going to leave it as $ unless someone comes
up with something better that the shell isn't going to whine about.
I fixed some other minor issues and rebased.
Upgrading isn't really testable at this point yet, other things in 3.0
need to be addressed as well. We have a separate ticket to look into the
schema updates so I've removed the update file for now.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-906-2-selinux.patch
Type: text/x-patch
Size: 65407 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111129/ce9e1616/attachment.bin>
More information about the Freeipa-devel
mailing list