summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichal Zidek <mzidek@redhat.com>2013-03-01 13:44:03 +0100
committerJakub Hrozek <jhrozek@redhat.com>2013-03-19 17:50:53 +0100
commitba4378f49914e65a7d687a872d9b938173841154 (patch)
tree34da787dfa505711546d7d2b4f36a1c5ac47056c
parent2ff2a7469ef0b23b3feb418f3ecfa8cfbfa2239c (diff)
downloadsssd-ba4378f49914e65a7d687a872d9b938173841154.tar.gz
sssd-ba4378f49914e65a7d687a872d9b938173841154.tar.bz2
sssd-ba4378f49914e65a7d687a872d9b938173841154.zip
Make the SELinux refresh time configurable.
Option ipa_selinux_refresh is added to basic ipa options.
-rw-r--r--src/config/SSSDConfig/__init__.py.in1
-rw-r--r--src/config/etc/sssd.api.d/sssd-ipa.conf1
-rw-r--r--src/man/sssd-ipa.5.xml17
-rw-r--r--src/providers/ipa/ipa_common.h1
-rw-r--r--src/providers/ipa/ipa_opts.h1
-rw-r--r--src/providers/ipa/ipa_selinux.c5
6 files changed, 24 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
index fd54c7b6..a1f22395 100644
--- a/src/config/SSSDConfig/__init__.py.in
+++ b/src/config/SSSDConfig/__init__.py.in
@@ -136,6 +136,7 @@ option_strings = {
'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"),
'ipa_hbac_search_base' : _("Search base for HBAC related objects"),
'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"),
+ 'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"),
'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"),
'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"),
'ipa_automount_location' : _("The automounter location this IPA client is using"),
diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf
index 56184590..87f69a23 100644
--- a/src/config/etc/sssd.api.d/sssd-ipa.conf
+++ b/src/config/etc/sssd.api.d/sssd-ipa.conf
@@ -141,6 +141,7 @@ krb5_fast_principal = str, None, false
[provider/ipa/access]
ipa_hbac_refresh = int, None, false
+ipa_selinux_refresh = int, None, false
ipa_hbac_treat_deny_as = str, None, false
ipa_hbac_support_srchost = bool, None, false
ipa_host_object_class = str, None, false
diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml
index 56220c3e..8630a5d6 100644
--- a/src/man/sssd-ipa.5.xml
+++ b/src/man/sssd-ipa.5.xml
@@ -316,6 +316,23 @@
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>ipa_hbac_selinux (integer)</term>
+ <listitem>
+ <para>
+ The amount of time between lookups of the SELinux
+ maps against the IPA server. This will reduce the
+ latency and load on the IPA server if there are
+ many user login requests made in a short
+ period.
+ </para>
+ <para>
+ Default: 5 (seconds)
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>ipa_hbac_treat_deny_as (string)</term>
<listitem>
diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h
index f077776b..e3915beb 100644
--- a/src/providers/ipa/ipa_common.h
+++ b/src/providers/ipa/ipa_common.h
@@ -47,6 +47,7 @@ enum ipa_basic_opt {
IPA_MASTER_DOMAIN_SEARCH_BASE,
IPA_KRB5_REALM,
IPA_HBAC_REFRESH,
+ IPA_SELINUX_REFRESH,
IPA_HBAC_DENY_METHOD,
IPA_HBAC_SUPPORT_SRCHOST,
IPA_AUTOMOUNT_LOCATION,
diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h
index a2200d1b..7923b1ec 100644
--- a/src/providers/ipa/ipa_opts.h
+++ b/src/providers/ipa/ipa_opts.h
@@ -45,6 +45,7 @@ struct dp_option ipa_basic_opts[] = {
{ "ipa_master_domain_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING },
{ "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING},
{ "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
+ { "ipa_selinux_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
{ "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING },
{ "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
{ "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING },
diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c
index 489c203d..6705eea1 100644
--- a/src/providers/ipa/ipa_selinux.c
+++ b/src/providers/ipa/ipa_selinux.c
@@ -811,6 +811,7 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
int ret = EOK;
time_t now;
time_t refresh_interval;
+ struct ipa_options *ipa_options = selinux_ctx->id_ctx->ipa_options;
DEBUG(SSSDBG_TRACE_FUNC, ("Retrieving SELinux user mapping\n"));
req = tevent_req_create(mem_ctx, &state, struct ipa_get_selinux_state);
@@ -828,8 +829,8 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx,
offline ? "offline" : "online"));
if (!offline) {
- /* FIXME: Make the interval configurable */
- refresh_interval = 5;
+ refresh_interval = dp_opt_get_int(ipa_options->basic,
+ IPA_SELINUX_REFRESH);
now = time(NULL);
if (now < selinux_ctx->last_update + refresh_interval) {
/* SELinux maps were recently updated -> force offline */