[Freeipa-devel] [PATCH] 906 Add SELinux user mapping framework.
Rob Crittenden
rcritten at redhat.com
Thu Dec 8 22:26:23 UTC 2011
Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On Thu, 24 Nov 2011, Alexander Bokovoy wrote:
>>> On Wed, 23 Nov 2011, Rob Crittenden wrote:
>>>> This will allow one to define what SELinux context a given user gets
>>>> on a given machine. A rule can contain a set of users and hosts or it
>>>> can point to an existing HBAC rule that defines them.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/755
>>> I read through the patch, will need to test it later this week. I
>>> basically have two minor points:
>>>
>>> 1. Split charachter in the SE Linux user map order.
>>>> +
>>>> + Define SELinux user map order:
>>>> + ipa config-mod
>>>> --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
>>>>
>>>> """)
>>> $ can be considered 'active' character in all shells in a sense it
>>> changes treatment of following characters from the shell perspective
>>> and therefore will always require shielding from the shell's
>>> influence. This increases likelyhood of error from a user side.
>>>
>>> Maybe / would be more neutral character?
>>>
>>> As you said on IRC, people might have religious feeling about
>>> separators but tricking users into always thinking about
>>> escaping/single quoting is equally bad.
>>>
>>> 2. We have two possible ways to address named properties in MagicDict
>>> and NameSpace objects -- through explicit attribute use and through
>>> the dictionary key. I guess for the cases when we know the attribute
>>> name in advance, it would perhaps be preferrable to use the former
>>> style:
>>>
>>>> + def pre_callback(self, ldap, dn, *keys, **options):
>>>> + kw = dict(seealso=dn)
>>>> + _entries = api.Command['selinuxusermap_find'](None, **kw)
>>> this would be
>>> _entries = api.Command.selinuxusermap_find(None, **kw)
>>>
>>> Other than those two minor points, the patch looks very good. I'm
>>> going to give it a run on Friday.
>> I tested the patch and it works for me on a new install. On upgrade of
>> existing installation I've got few errors during run of
>> ipa-ldap-updater for SELinux schema changes. Unfortunately, didn't
>> save the log as it was 2.1 -> 2.99 upgrade as well.
>>
>
> It turns out that other characters are just as troublesome and require
> escaping (space and \). I"m going to leave it as $ unless someone comes
> up with something better that the shell isn't going to whine about.
>
> I fixed some other minor issues and rebased.
>
> Upgrading isn't really testable at this point yet, other things in 3.0
> need to be addressed as well. We have a separate ticket to look into the
> schema updates so I've removed the update file for now.
>
> rob
Rebased patch
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-906-3-selinux.patch
Type: text/x-patch
Size: 66673 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111208/683fd4d1/attachment.bin>
More information about the Freeipa-devel
mailing list