[Freeipa-users] SELinux user categories

Josh jokajak at gmail.com
Wed Feb 12 20:15:31 UTC 2014


On Feb 11, 2014, at 2:52 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Josh wrote:
>> 
>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>> 
>>> Josh wrote:
>>>> I have a situation where I need to support more than 1024 categories
>>>> on a system.  I modified the selinuxusermap.py file to check for the
>>>> number of categories I need but ipa still responds with the original
>>>> error message.  Do I need to restart any of the services?
>>>> 
>>>> Here is the command that was run and the output after applying the
>>>> patch below:
>>>> 
>>>> ipa config-mod
>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>> 
>>> Have you updated your SELinux policy to support a larger MCS range? If
>>> not then this will get you past the IPA validator but it won't work
>>> with SELinux. See semanage(8).
>>> 
>>> rob
>> 
>> Yes.  I’m trying to set the SELinux categories in freeipa because when
>> you have lots of categories all semanage commands slow down (way down).
>>  For other people’s knowledge, this requires recompilation of the
>> SELinux policy.
> 
> Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this.

As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable.
> 
> Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages.

I’m ok with that because the values only need to be set during initial setup.  Any idea why the validator isn’t being modified?
> 
> I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well.
> 
> regards
> 
> rob
> 

Thanks for the help.

-josh

>> 
>> -josh
>> 
>>> 
>>>> 
>>>> Thanks,
>>>> -josh
>>>> 
>>>> PS: This is the patch that was applied
>>>> 
>>>> ---
>>>> /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats  2014-02-11
>>>> 13:18:19.868574971 -0500
>>>> +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py
>>>>  2014-02-11 13:20:03.563127380 -0500
>>>> @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user)
>>>>     if not mls or not regex_mls.match(mls):
>>>>         return _('Invalid MLS value, must match s[0-15](-s[0-15])')
>>>>     m = regex_mcs.match(mcs)
>>>> -    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
>>>> -        return _('Invalid MCS value, must match c[0-1023].c[0-1023] '
>>>> -                 'and/or c[0-1023]-c[0-c0123]')
>>>> +    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 16384))):
>>>> +        return _('Invalid MCS value, must match c[0-16384].c[0-16384] '
>>>> +                 'and/or c[0-16384]-c[0-16384]')
>>>>     return None
>>>> 
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> 
> 





More information about the Freeipa-users mailing list