On Feb 11, 2014, at 2:52 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Josh wrote: >> >> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com >> <mailto:rcrit...@redhat.com>> wrote: >> >>> Josh wrote: >>>> I have a situation where I need to support more than 1024 categories >>>> on a system. I modified the selinuxusermap.py file to check for the >>>> number of categories I need but ipa still responds with the original >>>> error message. Do I need to restart any of the services? >>>> >>>> Here is the command that was run and the output after applying the >>>> patch below: >>>> >>>> ipa config-mod >>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' >>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user >>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must >>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] >>> >>> Have you updated your SELinux policy to support a larger MCS range? If >>> not then this will get you past the IPA validator but it won't work >>> with SELinux. See semanage(8). >>> >>> rob >> >> Yes. I’m trying to set the SELinux categories in freeipa because when >> you have lots of categories all semanage commands slow down (way down). >> For other people’s knowledge, this requires recompilation of the >> SELinux policy. > > Ok, then your patch looks reasonable. The current code is for the default > values and we haven't had cause to make this configurable before now. You > might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. > > Also note that this change will be lost on your next IPA upgrade, and you'll > need to make this change on any IPA master you want these values to be > managed. The data will remain unchanged, but the original python values will > be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? > > I don't believe validators are currently extensible in the IPA framework. > That might be something we need to look at as well. > > regards > > rob > Thanks for the help. -josh >> >> -josh >> >>> >>>> >>>> Thanks, >>>> -josh >>>> >>>> PS: This is the patch that was applied >>>> >>>> --- >>>> /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats >>>> 2014-02-11 >>>> 13:18:19.868574971 -0500 >>>> +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py >>>> 2014-02-11 13:20:03.563127380 -0500 >>>> @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user) >>>> if not mls or not regex_mls.match(mls): >>>> return _('Invalid MLS value, must match s[0-15](-s[0-15])') >>>> m = regex_mcs.match(mcs) >>>> - if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))): >>>> - return _('Invalid MCS value, must match c[0-1023].c[0-1023] ' >>>> - 'and/or c[0-1023]-c[0-c0123]') >>>> + if mcs and (not m or (m.group(3) and (int(m.group(3)) > 16384))): >>>> + return _('Invalid MCS value, must match c[0-16384].c[0-16384] ' >>>> + 'and/or c[0-16384]-c[0-16384]') >>>> return None >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >> > _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
