[Freeipa-users] SELinux user categories

Wed Feb 12 09:57:10 UTC 2014

Moving to freeipa-devel since we're going rather deep.

On 02/12/2014 10:02 AM, Martin Kosek wrote:
> On 02/11/2014 08:52 PM, Rob Crittenden wrote:
>> Josh wrote:
>>>
>>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcritten at redhat.com
>>> <mailto:rcritten at redhat.com>> wrote:
>>>
>>>> Josh wrote:
>>>>> I have a situation where I need to support more than 1024 categories
>>>>> on a system.  I modified the selinuxusermap.py file to check for the
>>>>> number of categories I need but ipa still responds with the original
>>>>> error message.  Do I need to restart any of the services?
>>>>>
>>>>> Here is the command that was run and the output after applying the
>>>>> patch below:
>>>>>
>>>>> ipa config-mod
>>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>>>
>>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>>>
>>>> Have you updated your SELinux policy to support a larger MCS range? If
>>>> not then this will get you past the IPA validator but it won't work
>>>> with SELinux. See semanage(8).
>>>>
>>>> rob
>>>
>>> Yes.  I’m trying to set the SELinux categories in freeipa because when
>>> you have lots of categories all semanage commands slow down (way down).
>>>    For other people’s knowledge, this requires recompilation of the
>>> SELinux policy.
>>
>> Ok, then your patch looks reasonable. The current code is for the default
>> values and we haven't had cause to make this configurable before now. You might
>> consider filing a ticket in our trac about this.
>>
>> Also note that this change will be lost on your next IPA upgrade, and you'll
>> need to make this change on any IPA master you want these values to be managed.
>> The data will remain unchanged, but the original python values will be restored
>> if you update the packages.
>>
>> I don't believe validators are currently extensible in the IPA framework. That
>> might be something we need to look at as well.
>>
>> regards
>>
>> rob
>
> I am thinking you may be able to monkeypatch the validator in a custom plugin,
> like selinuxusermap-user.py which would:
>
> ~~~~
> import ipalib.plugins.selinuxusermap(
>
> def custom_selinux_usermap_validator((ugettext, user):
>      ...
>
> ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator
> ~~~~
>
> Then upgrade would not destroy the change. But of course, things may break as
> well if for example we change the params of this function.
>
> Martin

No, I don't think something like that will work; the validator is baked 
into the Param on creation. You'd have to replace 
`selinuxusermap.takes_params` with a copy that has a new 
`ipaselinuxuser` Param.

-- 
Petr³