On 02/11/2014 08:52 PM, Rob Crittenden wrote:
> Josh wrote:
>>
>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>
>>> Josh wrote:
>>>> I have a situation where I need to support more than 1024 categories
>>>> on a system. I modified the selinuxusermap.py file to check for the
>>>> number of categories I need but ipa still responds with the original
>>>> error message. Do I need to restart any of the services?
>>>>
>>>> Here is the command that was run and the output after applying the
>>>> patch below:
>>>>
>>>> ipa config-mod
>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>>
>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>>
>>> Have you updated your SELinux policy to support a larger MCS range? If
>>> not then this will get you past the IPA validator but it won't work
>>> with SELinux. See semanage(8).
>>>
>>> rob
>>
>> Yes. I’m trying to set the SELinux categories in freeipa because when
>> you have lots of categories all semanage commands slow down (way down).
>> For other people’s knowledge, this requires recompilation of the
>> SELinux policy.
>
> Ok, then your patch looks reasonable. The current code is for the default
> values and we haven't had cause to make this configurable before now. You
> might
> consider filing a ticket in our trac about this.
>
> Also note that this change will be lost on your next IPA upgrade, and you'll
> need to make this change on any IPA master you want these values to be
> managed.
> The data will remain unchanged, but the original python values will be
> restored
> if you update the packages.
>
> I don't believe validators are currently extensible in the IPA framework. That
> might be something we need to look at as well.
>
> regards
>
> rob
I am thinking you may be able to monkeypatch the validator in a custom plugin,
like selinuxusermap-user.py which would:
~~~~
import ipalib.plugins.selinuxusermap(
def custom_selinux_usermap_validator((ugettext, user):
...
ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator
~~~~
Then upgrade would not destroy the change. But of course, things may break as
well if for example we change the params of this function.
Martin
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
