[Freeipa-users] SELinux user categories

[Rob Crittenden]

Josh wrote:
> I have a situation where I need to support more than 1024 categories on a system.  I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message.  Do I need to restart any of the services?
>
> Here is the command that was run and the output after applying the patch below:
>
> ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]

Have you updated your SELinux policy to support a larger MCS range? If 
not then this will get you past the IPA validator but it won't work with 
SELinux. See semanage(8).

rob

>
> Thanks,
> -josh
>
> PS: This is the patch that was applied
>
> --- /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats  2014-02-11 13:18:19.868574971 -0500
> +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py   2014-02-11 13:20:03.563127380 -0500
> @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user)
>       if not mls or not regex_mls.match(mls):
>           return _('Invalid MLS value, must match s[0-15](-s[0-15])')
>       m = regex_mcs.match(mcs)
> -    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
> -        return _('Invalid MCS value, must match c[0-1023].c[0-1023] '
> -                 'and/or c[0-1023]-c[0-c0123]')
> +    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 16384))):
> +        return _('Invalid MCS value, must match c[0-16384].c[0-16384] '
> +                 'and/or c[0-16384]-c[0-16384]')
>       return None
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>