[Freeipa-devel] [Freeipa-users] SELinux user categories
Josh
jokajak at gmail.com
Wed Feb 12 20:11:59 UTC 2014
On Feb 12, 2014, at 4:57 AM, Petr Viktorin <pviktori at redhat.com> wrote:
> Moving to freeipa-devel since we're going rather deep.
>
> On 02/12/2014 10:02 AM, Martin Kosek wrote:
>> On 02/11/2014 08:52 PM, Rob Crittenden wrote:
>>> Josh wrote:
>>>>
>>>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcritten at redhat.com
>>>> <mailto:rcritten at redhat.com>> wrote:
>>>>
>>>>> Josh wrote:
>>>>>> I have a situation where I need to support more than 1024 categories
>>>>>> on a system. I modified the selinuxusermap.py file to check for the
>>>>>> number of categories I need but ipa still responds with the original
>>>>>> error message. Do I need to restart any of the services?
>>>>>>
>>>>>> Here is the command that was run and the output after applying the
>>>>>> patch below:
>>>>>>
>>>>>> ipa config-mod
>>>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>>>>
>>>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>>>>
>>>>> Have you updated your SELinux policy to support a larger MCS range? If
>>>>> not then this will get you past the IPA validator but it won't work
>>>>> with SELinux. See semanage(8).
>>>>>
>>>>> rob
>>>>
>>>> Yes. I’m trying to set the SELinux categories in freeipa because when
>>>> you have lots of categories all semanage commands slow down (way down).
>>>> For other people’s knowledge, this requires recompilation of the
>>>> SELinux policy.
>>>
>>> Ok, then your patch looks reasonable. The current code is for the default
>>> values and we haven't had cause to make this configurable before now. You might
>>> consider filing a ticket in our trac about this.
>>>
>>> Also note that this change will be lost on your next IPA upgrade, and you'll
>>> need to make this change on any IPA master you want these values to be managed.
>>> The data will remain unchanged, but the original python values will be restored
>>> if you update the packages.
>>>
>>> I don't believe validators are currently extensible in the IPA framework. That
>>> might be something we need to look at as well.
>>>
>>> regards
>>>
>>> rob
>>
>> I am thinking you may be able to monkeypatch the validator in a custom plugin,
>> like selinuxusermap-user.py which would:
>>
>> ~~~~
>> import ipalib.plugins.selinuxusermap(
>>
>> def custom_selinux_usermap_validator((ugettext, user):
>> ...
>>
>> ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator
>> ~~~~
>>
>> Then upgrade would not destroy the change. But of course, things may break as
>> well if for example we change the params of this function.
>>
>> Martin
>
> No, I don't think something like that will work; the validator is baked into the Param on creation. You'd have to replace `selinuxusermap.takes_params` with a copy that has a new `ipaselinuxuser` Param.
>
I’m ok with the patch being removed on subsequent upgrades to the software. I only need the validator modified during the initial setup. After that the setting won’t need to be changed.
-josh
>
> --
> Petr³
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
More information about the Freeipa-devel
mailing list