From ba4378f49914e65a7d687a872d9b938173841154 Mon Sep 17 00:00:00 2001 From: Michal Zidek Date: Mar 19 2013 16:50:53 +0000 Subject: Make the SELinux refresh time configurable. Option ipa_selinux_refresh is added to basic ipa options. --- diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index fd54c7b..a1f2239 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -136,6 +136,7 @@ option_strings = { 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"), 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), 'ipa_automount_location' : _("The automounter location this IPA client is using"), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 5618459..87f69a2 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -141,6 +141,7 @@ krb5_fast_principal = str, None, false [provider/ipa/access] ipa_hbac_refresh = int, None, false +ipa_selinux_refresh = int, None, false ipa_hbac_treat_deny_as = str, None, false ipa_hbac_support_srchost = bool, None, false ipa_host_object_class = str, None, false diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 56220c3..8630a5d 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -316,6 +316,23 @@ + + + ipa_hbac_selinux (integer) + + + The amount of time between lookups of the SELinux + maps against the IPA server. This will reduce the + latency and load on the IPA server if there are + many user login requests made in a short + period. + + + Default: 5 (seconds) + + + + ipa_hbac_treat_deny_as (string) diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index f077776..e3915be 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -47,6 +47,7 @@ enum ipa_basic_opt { IPA_MASTER_DOMAIN_SEARCH_BASE, IPA_KRB5_REALM, IPA_HBAC_REFRESH, + IPA_SELINUX_REFRESH, IPA_HBAC_DENY_METHOD, IPA_HBAC_SUPPORT_SRCHOST, IPA_AUTOMOUNT_LOCATION, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index a2200d1..7923b1e 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -45,6 +45,7 @@ struct dp_option ipa_basic_opts[] = { { "ipa_master_domain_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_selinux_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING }, diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 489c203..6705eea 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -811,6 +811,7 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx, int ret = EOK; time_t now; time_t refresh_interval; + struct ipa_options *ipa_options = selinux_ctx->id_ctx->ipa_options; DEBUG(SSSDBG_TRACE_FUNC, ("Retrieving SELinux user mapping\n")); req = tevent_req_create(mem_ctx, &state, struct ipa_get_selinux_state); @@ -828,8 +829,8 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx, offline ? "offline" : "online")); if (!offline) { - /* FIXME: Make the interval configurable */ - refresh_interval = 5; + refresh_interval = dp_opt_get_int(ipa_options->basic, + IPA_SELINUX_REFRESH); now = time(NULL); if (now < selinux_ctx->last_update + refresh_interval) { /* SELinux maps were recently updated -> force offline */