[Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.

Tue Nov 29 22:45:57 UTC 2011

Alexander Bokovoy wrote:
> On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
>> On Wed, 23 Nov 2011, Rob Crittenden wrote:
>>> This will allow one to define what SELinux context a given user gets
>>> on a given machine. A rule can contain a set of users and hosts or it
>>> can point to an existing HBAC rule that defines them.
>>>
>>> https://fedorahosted.org/freeipa/ticket/755
>> I read through the patch, will need to test it later this week. I
>> basically have two minor points:
>>
>> 1. Split charachter in the SE Linux user map order.
>>> +
>>> + Define SELinux user map order:
>>> +   ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
>>>   """)
>> $ can be considered 'active' character in all shells in a sense it
>> changes treatment of following characters from the shell perspective
>> and therefore will always require shielding from the shell's
>> influence. This increases likelyhood of error from a user side.
>>
>> Maybe / would be more neutral character?
>>
>> As you said on IRC, people might have religious feeling about
>> separators but tricking users into always thinking about
>> escaping/single quoting is equally bad.
>>
>> 2. We have two possible ways to address named properties in MagicDict
>> and NameSpace objects -- through explicit attribute use and through
>> the dictionary key. I guess for the cases when we know the attribute
>> name in advance, it would perhaps be preferrable to use the former
>> style:
>>
>>> +    def pre_callback(self, ldap, dn, *keys, **options):
>>> +        kw = dict(seealso=dn)
>>> +        _entries = api.Command['selinuxusermap_find'](None, **kw)
>> this would be
>>             _entries = api.Command.selinuxusermap_find(None, **kw)
>>
>> Other than those two minor points, the patch looks very good. I'm
>> going to give it a run on Friday.
> I tested the patch and it works for me on a new install. On upgrade of
> existing installation I've got few errors during run of
> ipa-ldap-updater for  SELinux schema changes. Unfortunately, didn't
> save the log as it was 2.1 ->  2.99 upgrade as well.
>

It turns out that other characters are just as troublesome and require 
escaping (space and \). I"m going to leave it as $ unless someone comes 
up with something better that the shell isn't going to whine about.

I fixed some other minor issues and rebased.

Upgrading isn't really testable at this point yet, other things in 3.0 
need to be addressed as well. We have a separate ticket to look into the 
schema updates so I've removed the update file for now.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-906-2-selinux.patch
Type: text/x-patch
Size: 65407 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111129/ce9e1616/attachment.bin>