Re: [Freeipa-users] SELinux user categories
On 02/12/2014 09:33 PM, Josh wrote: On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh Nice. Not many of our users got back to us with experience on using the advanced use of the SELinux feature - so feedback welcome! Rob, I am wondering if it would make sense to extend the FreeIPA to allow SELinux user map rules with more SELinux users, per policy? I.e. have a rule like that: # ipa selinuxusermap-show staff_u Rule name: staff_u SELinux User: staff_u:s0-s0:c0.c1023 SELinux User (mls): staff_u:s0-s15:c0.c1023 Enabled: TRUE User Groups: wheel Host Groups: selinuxhosts This
Re: [Freeipa-users] SELinux user categories
Martin Kosek wrote: On 02/12/2014 09:33 PM, Josh wrote: On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh Nice. Not many of our users got back to us with experience on using the advanced use of the SELinux feature - so feedback welcome! Rob, I am wondering if it would make sense to extend the FreeIPA to allow SELinux user map rules with more SELinux users, per policy? I.e. have a rule like that: # ipa selinuxusermap-show staff_u Rule name: staff_u SELinux User: staff_u:s0-s0:c0.c1023 SELinux User (mls): staff_u:s0-s15:c0.c1023 Enabled: TRUE User Groups: wheel Host Groups: selinuxhosts This proposed rule structure is not ideal and
Re: [Freeipa-users] SELinux user categories
On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob I am thinking you may be able to monkeypatch the validator in a custom plugin, like selinuxusermap-user.py which would: import ipalib.plugins.selinuxusermap( def custom_selinux_usermap_validator((ugettext, user): ... ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator Then upgrade would not destroy the change. But of course, things may break as well if for example we change the params of this function. Martin ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Moving to freeipa-devel since we're going rather deep. On 02/12/2014 10:02 AM, Martin Kosek wrote: On 02/11/2014 08:52 PM, Rob Crittenden wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob I am thinking you may be able to monkeypatch the validator in a custom plugin, like selinuxusermap-user.py which would: import ipalib.plugins.selinuxusermap( def custom_selinux_usermap_validator((ugettext, user): ... ipalib.plugins.selinuxusermap = custom_selinux_usermap_validator Then upgrade would not destroy the change. But of course, things may break as well if for example we change the params of this function. Martin No, I don't think something like that will work; the validator is baked into the Param on creation. You'd have to replace `selinuxusermap.takes_params` with a copy that has a new `ipaselinuxuser` Param. -- Petr³ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. -josh -josh Thanks, -josh PS: This is the patch that was applied --- /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats 2014-02-11 13:18:19.868574971 -0500 +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py 2014-02-11 13:20:03.563127380 -0500 @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user) if not mls or not regex_mls.match(mls): return _('Invalid MLS value, must match s[0-15](-s[0-15])') m = regex_mcs.match(mcs) -if mcs and (not m or (m.group(3) and (int(m.group(3)) 1023))): -return _('Invalid MCS value, must match c[0-1023].c[0-1023] ' - 'and/or c[0-1023]-c[0-c0123]') +if mcs and (not m or (m.group(3) and (int(m.group(3)) 16384))): +return _('Invalid MCS value, must match c[0-16384].c[0-16384] ' + 'and/or c[0-16384]-c[0-16384]') return None ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
On Feb 12, 2014, at 3:20 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:52 PM, Rob Crittenden rcrit...@redhat.com wrote: Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. As it is for a very unique situation which most people won’t encounter I don’t think it’s worth making configurable. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I’m ok with that because the values only need to be set during initial setup. Any idea why the validator isn’t being modified? I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob Thanks for the help. Sure. I'm glad we made at least obvious enough for you to be able to work around. So I'm just curious about the need for this. You mentioned that semanage slows way down. Have you talked to the SELinux team about this? They've been quite responsive to our needs in the past, they may be able to fix something for you as well. I’m not sure if my coworker has talked to them about it directly, no. I’ll ping him to see if it’s something we want to get worked on moving forward. On a more general note, we haven't had a lot of user feedback on the SELinux user map feature. Do you have any other suggestions on things we might do to improve it? Nothing directly but I can describe how we’re using it and where some of the perceived pain points are. Their impact is negligible though so we haven’t felt the need to investigate better ways to work around them. We’ve got a network of systems running both targeted and MLS SELinux policy. What this means is that we must define both valid selinux context is the user map. I.e. we define both staff_u:s0-s0:c0.c1023 and staff_u:s0-s15:c0.c1023 in the user map. We then use host groups and multiple user maps to map appropriately. Our commands might be easier to understand: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$staff_u:s0-s15:c0.c1023’ ipa hostgroup-add mls --desc=MLS SELinux Group” ipa hostgroup-add-member mls --hosts=mlshost1,mlshost2 ipa hostgroup-add targeted --desc=Targeted SELinux Group” ipa hostgroup-add-member targeted --hosts=appsrv1,appsrv2 ipa selinuxusermap-add staff_u --selinuxuser=staff_u:s0-s0:c0.c1023 ipa selinuxusermap-add staff_u_MLS --selinuxuser=staff_u:s0-s15:c0.c1023 ipa selinuxusermap-add-host staff_u --hostgroups=targeted ipa selinuxusermap-add-host staff_u_MLS --hostgroups=mls ipa selinuxusermap-add-user staff_u --groups=wheel ipa selinuxusermap-add-user staff_u_MLS --groups=wheel It might be more straightforward if we didn’t have to split the configuration like this but thanks to the flexibility of FreeIPA it’s very easy to do. Thanks, -josh thanks rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Thanks, -josh PS: This is the patch that was applied --- /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats 2014-02-11 13:18:19.868574971 -0500 +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py 2014-02-11 13:20:03.563127380 -0500 @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user) if not mls or not regex_mls.match(mls): return _('Invalid MLS value, must match s[0-15](-s[0-15])') m = regex_mcs.match(mcs) -if mcs and (not m or (m.group(3) and (int(m.group(3)) 1023))): -return _('Invalid MCS value, must match c[0-1023].c[0-1023] ' - 'and/or c[0-1023]-c[0-c0123]') +if mcs and (not m or (m.group(3) and (int(m.group(3)) 16384))): +return _('Invalid MCS value, must match c[0-16384].c[0-16384] ' + 'and/or c[0-16384]-c[0-16384]') return None ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] SELinux user categories
Josh wrote: On Feb 11, 2014, at 2:44 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Josh wrote: I have a situation where I need to support more than 1024 categories on a system. I modified the selinuxusermap.py file to check for the number of categories I need but ipa still responds with the original error message. Do I need to restart any of the services? Here is the command that was run and the output after applying the patch below: ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s15:c0.c16383$resadm_u:s0-s15:c0.c16383$ia_u:s0-s15:c0.c16383' ipa: ERROR: invalid 'ipaselinuxusermaporder': SELinux user 'staff_u:s0-s15:c0.c16383' is not valid: Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Have you updated your SELinux policy to support a larger MCS range? If not then this will get you past the IPA validator but it won't work with SELinux. See semanage(8). rob Yes. I’m trying to set the SELinux categories in freeipa because when you have lots of categories all semanage commands slow down (way down). For other people’s knowledge, this requires recompilation of the SELinux policy. Ok, then your patch looks reasonable. The current code is for the default values and we haven't had cause to make this configurable before now. You might consider filing a ticket in our trac about this. Also note that this change will be lost on your next IPA upgrade, and you'll need to make this change on any IPA master you want these values to be managed. The data will remain unchanged, but the original python values will be restored if you update the packages. I don't believe validators are currently extensible in the IPA framework. That might be something we need to look at as well. regards rob -josh Thanks, -josh PS: This is the patch that was applied --- /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py.cats 2014-02-11 13:18:19.868574971 -0500 +++ /usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.py 2014-02-11 13:20:03.563127380 -0500 @@ -99,9 +99,9 @@ def validate_selinuxuser(ugettext, user) if not mls or not regex_mls.match(mls): return _('Invalid MLS value, must match s[0-15](-s[0-15])') m = regex_mcs.match(mcs) -if mcs and (not m or (m.group(3) and (int(m.group(3)) 1023))): -return _('Invalid MCS value, must match c[0-1023].c[0-1023] ' - 'and/or c[0-1023]-c[0-c0123]') +if mcs and (not m or (m.group(3) and (int(m.group(3)) 16384))): +return _('Invalid MCS value, must match c[0-16384].c[0-16384] ' + 'and/or c[0-16384]-c[0-16384]') return None ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users