On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
> On Wed, 23 Nov 2011, Rob Crittenden wrote:
> > This will allow one to define what SELinux context a given user gets
> > on a given machine. A rule can contain a set of users and hosts or it
> > can point to an existing HBAC rule that defines them.
> > https://fedorahosted.org/freeipa/ticket/755
> I read through the patch, will need to test it later this week. I
> basically have two minor points:
> 1. Split charachter in the SE Linux user map order.
> > +
> > + Define SELinux user map order:
> > + ipa config-mod
> > --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
> > """)
> $ can be considered 'active' character in all shells in a sense it
> changes treatment of following characters from the shell perspective
> and therefore will always require shielding from the shell's
> influence. This increases likelyhood of error from a user side.
> Maybe / would be more neutral character?
> As you said on IRC, people might have religious feeling about
> separators but tricking users into always thinking about
> escaping/single quoting is equally bad.
> 2. We have two possible ways to address named properties in MagicDict
> and NameSpace objects -- through explicit attribute use and through
> the dictionary key. I guess for the cases when we know the attribute
> name in advance, it would perhaps be preferrable to use the former
> > + def pre_callback(self, ldap, dn, *keys, **options):
> > + kw = dict(seealso=dn)
> > + _entries = api.Command['selinuxusermap_find'](None, **kw)
> this would be
> _entries = api.Command.selinuxusermap_find(None, **kw)
> Other than those two minor points, the patch looks very good. I'm
> going to give it a run on Friday.
I tested the patch and it works for me on a new install. On upgrade of
existing installation I've got few errors during run of
ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't
save the log as it was 2.1 -> 2.99 upgrade as well.
/ Alexander Bokovoy
Freeipa-devel mailing list