On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
> On Wed, 23 Nov 2011, Rob Crittenden wrote:
> > This will allow one to define what SELinux context a given user gets
> > on a given machine. A rule can contain a set of users and hosts or it
> > can point to an existing HBAC rule that defines them.
> > 
> > https://fedorahosted.org/freeipa/ticket/755
> I read through the patch, will need to test it later this week. I 
> basically have two minor points:
> 
> 1. Split charachter in the SE Linux user map order. 
> > +
> > + Define SELinux user map order:
> > +   ipa config-mod 
> > --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
> >  """)
> $ can be considered 'active' character in all shells in a sense it 
> changes treatment of following characters from the shell perspective 
> and therefore will always require shielding from the shell's 
> influence. This increases likelyhood of error from a user side.
> 
> Maybe / would be more neutral character? 
> 
> As you said on IRC, people might have religious feeling about 
> separators but tricking users into always thinking about 
> escaping/single quoting is equally bad.
> 
> 2. We have two possible ways to address named properties in MagicDict 
> and NameSpace objects -- through explicit attribute use and through 
> the dictionary key. I guess for the cases when we know the attribute 
> name in advance, it would perhaps be preferrable to use the former 
> style:
> 
> > +    def pre_callback(self, ldap, dn, *keys, **options):
> > +        kw = dict(seealso=dn)
> > +        _entries = api.Command['selinuxusermap_find'](None, **kw)
> this would be 
>            _entries = api.Command.selinuxusermap_find(None, **kw)
> 
> Other than those two minor points, the patch looks very good. I'm 
> going to give it a run on Friday.
I tested the patch and it works for me on a new install. On upgrade of 
existing installation I've got few errors during run of 
ipa-ldap-updater for  SELinux schema changes. Unfortunately, didn't 
save the log as it was 2.1 -> 2.99 upgrade as well.

-- 
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to