[Freeipa-devel] [Freeipa-users] SELinux user categories

Wed Feb 12 20:11:59 UTC 2014

On Feb 12, 2014, at 4:57 AM, Petr Viktorin <pviktori at redhat.com> wrote:

> Moving to freeipa-devel since we're going rather deep.
> 
> On 02/12/2014 10:02 AM, Martin Kosek wrote:
>> On 02/11/2014 08:52 PM, Rob Crittenden wrote:
>>> Josh wrote:
>>>> 
>>>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>> 
>>>>> Josh wrote:
>>>>>> I have a situation where I need to support more than 1024 categories
>>>>>> on a system.  I modified the selinuxusermap.py file to check for the
>>>>>> number of categories I need but ipa still responds with the original
>>>>>> error message.  Do I need to restart any of the services?
>>>>>> 
>>>>>> Here is the command that was run and the output after applying the
>>>>>> patch below:
>>>>>> 
>>>>>> ipa config-mod
>>>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>>>> 
>>>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>>>> 
>>>>> Have you updated your SELinux policy to support a larger MCS range? If
>>>>> not then this will get you past the IPA validator but it won't work
>>>>> with SELinux. See semanage(8).
>>>>> 
>>>>> rob
>>>> 
>>>> Yes.  I’m trying to set the SELinux categories in freeipa because when
>>>> you have lots of categories all semanage commands slow down (way down).
>>>>   For other people’s knowledge, this requires recompilation of the
>>>> SELinux policy.
>>> 
>>> Ok, then your patch looks reasonable. The current code is for the default
>>> values and we haven't had cause to make this configurable before now. You might
>>> consider filing a ticket in our trac about this.
>>> 
>>> Also note that this change will be lost on your next IPA upgrade, and you'll
>>> need to make this change on any IPA master you want these values to be managed.
>>> The data will remain unchanged, but the original python values will be restored
>>> if you update the packages.
>>> 
>>> I don't believe validators are currently extensible in the IPA framework. That
>>> might be something we need to look at as well.
>>> 
>>> regards
>>> 
>>> rob
>> 
>> I am thinking you may be able to monkeypatch the validator in a custom plugin,
>> like selinuxusermap-user.py which would:
>> 
>> ~~~~
>> import ipalib.plugins.selinuxusermap(
>> 
>> def custom_selinux_usermap_validator((ugettext, user):
>>     ...
>> 
>> ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator
>> ~~~~
>> 
>> Then upgrade would not destroy the change. But of course, things may break as
>> well if for example we change the params of this function.
>> 
>> Martin
> 
> No, I don't think something like that will work; the validator is baked into the Param on creation. You'd have to replace `selinuxusermap.takes_params` with a copy that has a new `ipaselinuxuser` Param.
> 

I’m ok with the patch being removed on subsequent upgrades to the software.  I only need the validator modified during the initial setup.  After that the setting won’t need to be changed.

-josh

> 
> -- 
> Petr³
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users