On Feb 11, 2014, at 2:52 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Josh wrote:
>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com
>> <mailto:rcrit...@redhat.com>> wrote:
>>> Josh wrote:
>>>> I have a situation where I need to support more than 1024 categories
>>>> on a system. I modified the selinuxusermap.py file to check for the
>>>> number of categories I need but ipa still responds with the original
>>>> error message. Do I need to restart any of the services?
>>>> Here is the command that was run and the output after applying the
>>>> patch below:
>>>> ipa config-mod
>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user
>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must
>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
>>> Have you updated your SELinux policy to support a larger MCS range? If
>>> not then this will get you past the IPA validator but it won't work
>>> with SELinux. See semanage(8).
>> Yes. I’m trying to set the SELinux categories in freeipa because when
>> you have lots of categories all semanage commands slow down (way down).
>> For other people’s knowledge, this requires recompilation of the
>> SELinux policy.
> Ok, then your patch looks reasonable. The current code is for the default
> values and we haven't had cause to make this configurable before now. You
> might consider filing a ticket in our trac about this.
As it is for a very unique situation which most people won’t encounter I don’t
think it’s worth making configurable.
> Also note that this change will be lost on your next IPA upgrade, and you'll
> need to make this change on any IPA master you want these values to be
> managed. The data will remain unchanged, but the original python values will
> be restored if you update the packages.
I’m ok with that because the values only need to be set during initial setup.
Any idea why the validator isn’t being modified?
> I don't believe validators are currently extensible in the IPA framework.
> That might be something we need to look at as well.
Thanks for the help.
>>>> PS: This is the patch that was applied
>>>> 13:18:19.868574971 -0500
>>>> +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py
>>>> 2014-02-11 13:20:03.563127380 -0500
>>>> @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user)
>>>> if not mls or not regex_mls.match(mls):
>>>> return _('Invalid MLS value, must match s[0-15](-s[0-15])')
>>>> m = regex_mcs.match(mcs)
>>>> - if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
>>>> - return _('Invalid MCS value, must match c[0-1023].c[0-1023] '
>>>> - 'and/or c[0-1023]-c[0-c0123]')
>>>> + if mcs and (not m or (m.group(3) and (int(m.group(3)) > 16384))):
>>>> + return _('Invalid MCS value, must match c[0-16384].c[0-16384] '
>>>> + 'and/or c[0-16384]-c[0-16384]')
>>>> return None
>>>> Freeipa-users mailing list
>>>> Freeipaemail@example.com <mailto:Freeipafirstname.lastname@example.org>
Freeipa-users mailing list