On Thu, 24 Nov 2011, Alexander Bokovoy wrote: > On Wed, 23 Nov 2011, Rob Crittenden wrote: > > This will allow one to define what SELinux context a given user gets > > on a given machine. A rule can contain a set of users and hosts or it > > can point to an existing HBAC rule that defines them. > > > > https://fedorahosted.org/freeipa/ticket/755 > I read through the patch, will need to test it later this week. I > basically have two minor points: > > 1. Split charachter in the SE Linux user map order. > > + > > + Define SELinux user map order: > > + ipa config-mod > > --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' > > """) > $ can be considered 'active' character in all shells in a sense it > changes treatment of following characters from the shell perspective > and therefore will always require shielding from the shell's > influence. This increases likelyhood of error from a user side. > > Maybe / would be more neutral character? > > As you said on IRC, people might have religious feeling about > separators but tricking users into always thinking about > escaping/single quoting is equally bad. > > 2. We have two possible ways to address named properties in MagicDict > and NameSpace objects -- through explicit attribute use and through > the dictionary key. I guess for the cases when we know the attribute > name in advance, it would perhaps be preferrable to use the former > style: > > > + def pre_callback(self, ldap, dn, *keys, **options): > > + kw = dict(seealso=dn) > > + _entries = api.Command['selinuxusermap_find'](None, **kw) > this would be > _entries = api.Command.selinuxusermap_find(None, **kw) > > Other than those two minor points, the patch looks very good. I'm > going to give it a run on Friday. I tested the patch and it works for me on a new install. On upgrade of existing installation I've got few errors during run of ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't save the log as it was 2.1 -> 2.99 upgrade as well.
-- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
