Josh wrote:
On Feb 11, 2014, at 2:52 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
Josh wrote:
On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com
<mailto:rcrit...@redhat.com>> wrote:
Josh wrote:
I have a situation where I need to support more than 1024 categories
on a system. I modified the selinuxusermap.py file to check for the
number of categories I need but ipa still responds with the original
error message. Do I need to restart any of the services?
Here is the command that was run and the output after applying the
patch below:
ipa config-mod
--ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
Have you updated your SELinux policy to support a larger MCS range? If
not then this will get you past the IPA validator but it won't work
with SELinux. See semanage(8).
rob
Yes. I’m trying to set the SELinux categories in freeipa because when
you have lots of categories all semanage commands slow down (way down).
For other people’s knowledge, this requires recompilation of the
SELinux policy.
Ok, then your patch looks reasonable. The current code is for the default
values and we haven't had cause to make this configurable before now. You might
consider filing a ticket in our trac about this.
As it is for a very unique situation which most people won’t encounter I don’t
think it’s worth making configurable.
Also note that this change will be lost on your next IPA upgrade, and you'll
need to make this change on any IPA master you want these values to be managed.
The data will remain unchanged, but the original python values will be restored
if you update the packages.
I’m ok with that because the values only need to be set during initial setup.
Any idea why the validator isn’t being modified?
I don't believe validators are currently extensible in the IPA framework. That
might be something we need to look at as well.
regards
rob
Thanks for the help.
Sure. I'm glad we made at least obvious enough for you to be able to
work around.
So I'm just curious about the need for this. You mentioned that semanage
slows way down. Have you talked to the SELinux team about this? They've
been quite responsive to our needs in the past, they may be able to fix
something for you as well.
On a more general note, we haven't had a lot of user feedback on the
SELinux user map feature. Do you have any other suggestions on things we
might do to improve it?
thanks
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
