On Feb 12, 2014, at 4:57 AM, Petr Viktorin <pvikt...@redhat.com> wrote:
> Moving to freeipa-devel since we're going rather deep. > > On 02/12/2014 10:02 AM, Martin Kosek wrote: >> On 02/11/2014 08:52 PM, Rob Crittenden wrote: >>> Josh wrote: >>>> >>>> On Feb 11, 2014, at 2:44 PM, Rob Crittenden <rcrit...@redhat.com >>>> <mailto:rcrit...@redhat.com>> wrote: >>>> >>>>> Josh wrote: >>>>>> I have a situation where I need to support more than 1024 categories >>>>>> on a system. I modified the selinuxusermap.py file to check for the >>>>>> number of categories I need but ipa still responds with the original >>>>>> error message. Do I need to restart any of the services? >>>>>> >>>>>> Here is the command that was run and the output after applying the >>>>>> patch below: >>>>>> >>>>>> ipa config-mod >>>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' >>>>>> >>>>>> ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user >>>>>> 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must >>>>>> match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] >>>>> >>>>> Have you updated your SELinux policy to support a larger MCS range? If >>>>> not then this will get you past the IPA validator but it won't work >>>>> with SELinux. See semanage(8). >>>>> >>>>> rob >>>> >>>> Yes. I’m trying to set the SELinux categories in freeipa because when >>>> you have lots of categories all semanage commands slow down (way down). >>>> For other people’s knowledge, this requires recompilation of the >>>> SELinux policy. >>> >>> Ok, then your patch looks reasonable. The current code is for the default >>> values and we haven't had cause to make this configurable before now. You >>> might >>> consider filing a ticket in our trac about this. >>> >>> Also note that this change will be lost on your next IPA upgrade, and you'll >>> need to make this change on any IPA master you want these values to be >>> managed. >>> The data will remain unchanged, but the original python values will be >>> restored >>> if you update the packages. >>> >>> I don't believe validators are currently extensible in the IPA framework. >>> That >>> might be something we need to look at as well. >>> >>> regards >>> >>> rob >> >> I am thinking you may be able to monkeypatch the validator in a custom >> plugin, >> like selinuxusermap-user.py which would: >> >> ~~~~ >> import ipalib.plugins.selinuxusermap( >> >> def custom_selinux_usermap_validator((ugettext, user): >> ... >> >> ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator >> ~~~~ >> >> Then upgrade would not destroy the change. But of course, things may break as >> well if for example we change the params of this function. >> >> Martin > > No, I don't think something like that will work; the validator is baked into > the Param on creation. You'd have to replace `selinuxusermap.takes_params` > with a copy that has a new `ipaselinuxuser` Param. > I’m ok with the patch being removed on subsequent upgrades to the software. I only need the validator modified during the initial setup. After that the setting won’t need to be changed. -josh > > -- > Petr³ > > _______________________________________________ > Freeipa-users mailing list > freeipa-us...@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel