[augeas-devel] Some ideas about how to use Augeas with IPA

Tue May 13 18:38:40 UTC 2008

Hi David,

Now I understand the case with the validation.
Here is the case when I had some problems.

File:
===================================================================
# This is the SELinux file

system_u;*;*;system_u;s0-s0:c0.c1023
root;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;people.redhat.com;*;xguest_u;s0
dwalsh;people.fedoraproject.com;*;xguest_u;s0
dwalsh;redline.boston.redhat.com;*;user_u;s0
dwalsh;redsox.boston.redhat.com;*;unconfined_u;s0-s0:c0.c1023
dwalsh;redsox.boston.redhat.com;ssh;guest_u;s0-s0:c0.c1023
+engineering;redsox;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;ssh;staff_u;s0-s0:c0.c1023
+engineering;*;*;staff_u;s0-s0:c0.c1023
*;*;xdm;xguest_u;s0
*;*;*;guest_u;s0
===========================================================

Lenses:
===========================================================

(* Parsing SELinux file *)

module Selinux =
  autoload xfm

  let sep = del /[ \t]*;[ \t]*/ ";"

  let eol = Util.del_str "\n"

  let comment = [ del /#.*\n/ "# " ]
  let emptyln = [ del /[ \t]*\n/ "\n" ]
  let word = /[^# \n\t;]+/
  let record = [ seq "rule" .  [ label "user" . store  word ] . sep .
                               [ label "machine" . store word ] . sep .
                               [ label "service" .  store word ] . sep .
                               [ label "seuser". store word ] . sep .
                               [ label "mls" . store word ] . eol ]

  let lns = ( emptyln | comment | record ) *

  let xfm = transform lns (incl "/etc/selinux/targeted/senew")

(* Local Variables: *)
(* mode: caml *)
(* End: *)

======================================================

Tree

augtool> ls /files/etc/selinux/targeted/senew/*
user = system_u
machine = *
service = *
seuser = system_u
mls = s0-s0:c0.c1023
user = root
machine = redsox.boston.redhat.com
service = *
seuser = unconfined_u
mls = s0-s0:c0.c1023
user = dwalsh
machine = people.redhat.com
service = *
seuser = xguest_u
mls = s0
user = dwalsh
machine = people.fedoraproject.com
service = *
seuser = xguest_u
mls = s0
user = dwalsh
machine = redline.boston.redhat.com
service = *
seuser = user_u
mls = s0
user = dwalsh
machine = redsox.boston.redhat.com
service = *
seuser = unconfined_u
mls = s0-s0:c0.c1023
user = dwalsh
machine = redsox.boston.redhat.com
service = ssh
seuser = guest_u
mls = s0-s0:c0.c1023
user = +engineering
machine = redsox
service = ssh
seuser = staff_u
mls = s0-s0:c0.c1023
user = +engineering
machine = *
service = ssh
seuser = staff_u
mls = s0-s0:c0.c1023
user = +engineering
machine = *
service = *
seuser = staff_u
mls = s0-s0:c0.c1023
user = *
machine = *
service = xdm
seuser = xguest_u
mls = s0
user = *
machine = *
service = *
seuser = guest_u
mls = s0

============================================================
Commands

augtool> set /files/etc/selinux/targeted/senew/100/user test
augtool> set /files/etc/selinux/targeted/senew/100/machine test-machine
augtool> set /files/etc/selinux/targeted/senew/100/service test-service
augtool> set /files/etc/selinux/targeted/senew/100/seuser test-role
augtool> set /files/etc/selinux/targeted/senew/100/mls bla:bla:bla
augtool> save
augtool> 

As a result a new line in file appears

test;test-machine;test-service;test-role;bla:bla:bla

Now I update it:

augtool> set /files/etc/selinux/targeted/senew/100/user test;user
augtool> save

Save should have failed since it creates the file that can't be parsed
back properly. It succeeds and file now has:

test;user;test-machine;test-service;test-role;bla:bla:bla

===============================================================

As for other issues, unfortunately we do not have the code to do what I
am talking about. But I will try to create some examples to illustrate
the issues. It will take me some time since I am focusing on other
things at the moment and not ready to start developing things myself.

Thanks,
Dmitri