Josh wrote:
I have a situation where I need to support more than 1024 categories on a 
system.  I modified the selinuxusermap.py file to check for the number of 
categories I need but ipa still responds with the original error message.  Do I 
need to restart any of the services?

Here is the command that was run and the output after applying the patch below:

ipa config-mod 
--ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383'
ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 
'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match 
c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]

Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8).

rob


Thanks,
-josh

PS: This is the patch that was applied

--- /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats  
2014-02-11 13:18:19.868574971 -0500
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py   
2014-02-11 13:20:03.563127380 -0500
@@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user)
      if not mls or not regex_mls.match(mls):
          return _('Invalid MLS value, must match s[0-15](-s[0-15])')
      m = regex_mcs.match(mcs)
-    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
-        return _('Invalid MCS value, must match c[0-1023].c[0-1023] '
-                 'and/or c[0-1023]-c[0-c0123]')
+    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 16384))):
+        return _('Invalid MCS value, must match c[0-16384].c[0-16384] '
+                 'and/or c[0-16384]-c[0-16384]')
      return None

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to