On Feb 12, 2014, at 4:57 AM, Petr Viktorin <pvikt...@redhat.com> wrote:

> Moving to freeipa-devel since we're going rather deep.
> On 02/12/2014 10:02 AM, Martin Kosek wrote:
>> On 02/11/2014 08:52 PM, Rob Crittenden wrote:
>>> Josh wrote:
>>>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com
>>>> <mailto:rcrit...@redhat.com>> wrote:
>>>>> Josh wrote:
>>>>>> I have a situation where I need to support more than 1024 categories
>>>>>> on a system.  I modified the selinuxusermap.py file to check for the
>>>>>> number of categories I need but ipa still responds with the original
>>>>>> error message.  Do I need to restart any of the services?
>>>>>> Here is the command that was run and the output after applying the
>>>>>> patch below:
>>>>>> ipa config-mod
>>>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
>>>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>>>> Have you updated your SELinux policy to support a larger MCS range? If
>>>>> not then this will get you past the IPA validator but it won't work
>>>>> with SELinux. See semanage(8).
>>>>> rob
>>>> Yes.  I’m trying to set the SELinux categories in freeipa because when
>>>> you have lots of categories all semanage commands slow down (way down).
>>>>   For other people’s knowledge, this requires recompilation of the
>>>> SELinux policy.
>>> Ok, then your patch looks reasonable. The current code is for the default
>>> values and we haven't had cause to make this configurable before now. You 
>>> might
>>> consider filing a ticket in our trac about this.
>>> Also note that this change will be lost on your next IPA upgrade, and you'll
>>> need to make this change on any IPA master you want these values to be 
>>> managed.
>>> The data will remain unchanged, but the original python values will be 
>>> restored
>>> if you update the packages.
>>> I don't believe validators are currently extensible in the IPA framework. 
>>> That
>>> might be something we need to look at as well.
>>> regards
>>> rob
>> I am thinking you may be able to monkeypatch the validator in a custom 
>> plugin,
>> like selinuxusermap-user.py which would:
>> ~~~~
>> import ipalib.plugins.selinuxusermap(
>> def custom_selinux_usermap_validator((ugettext, user):
>>     ...
>> ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator
>> ~~~~
>> Then upgrade would not destroy the change. But of course, things may break as
>> well if for example we change the params of this function.
>> Martin
> No, I don't think something like that will work; the validator is baked into 
> the Param on creation. You'd have to replace `selinuxusermap.takes_params` 
> with a copy that has a new `ipaselinuxuser` Param.

I’m ok with the patch being removed on subsequent upgrades to the software.  I 
only need the validator modified during the initial setup.  After that the 
setting won’t need to be changed.


> -- 
> Petr³
> _______________________________________________
> Freeipa-users mailing list
> freeipa-us...@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-devel mailing list

Reply via email to