diff options
author | Michal Zidek <mzidek@redhat.com> | 2013-03-01 13:44:03 +0100 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2013-03-19 17:50:53 +0100 |
commit | ba4378f49914e65a7d687a872d9b938173841154 (patch) | |
tree | 34da787dfa505711546d7d2b4f36a1c5ac47056c | |
parent | 2ff2a7469ef0b23b3feb418f3ecfa8cfbfa2239c (diff) | |
download | sssd-ba4378f49914e65a7d687a872d9b938173841154.tar.gz sssd-ba4378f49914e65a7d687a872d9b938173841154.tar.bz2 sssd-ba4378f49914e65a7d687a872d9b938173841154.zip |
Make the SELinux refresh time configurable.
Option ipa_selinux_refresh is added to basic ipa options.
-rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
-rw-r--r-- | src/config/etc/sssd.api.d/sssd-ipa.conf | 1 | ||||
-rw-r--r-- | src/man/sssd-ipa.5.xml | 17 | ||||
-rw-r--r-- | src/providers/ipa/ipa_common.h | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_opts.h | 1 | ||||
-rw-r--r-- | src/providers/ipa/ipa_selinux.c | 5 |
6 files changed, 24 insertions, 2 deletions
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index fd54c7b6..a1f22395 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -136,6 +136,7 @@ option_strings = { 'ipa_dyndns_iface' : _("The interface whose IP should be used for dynamic DNS updates"), 'ipa_hbac_search_base' : _("Search base for HBAC related objects"), 'ipa_hbac_refresh' : _("The amount of time between lookups of the HBAC rules against the IPA server"), + 'ipa_selinux_refresh' : _("The amount of time in seconds between lookups of the SELinux maps against the IPA server"), 'ipa_hbac_treat_deny_as' : _("If DENY rules are present, either DENY_ALL or IGNORE"), 'ipa_hbac_support_srchost' : _("If set to false, host argument given by PAM will be ignored"), 'ipa_automount_location' : _("The automounter location this IPA client is using"), diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 56184590..87f69a23 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -141,6 +141,7 @@ krb5_fast_principal = str, None, false [provider/ipa/access] ipa_hbac_refresh = int, None, false +ipa_selinux_refresh = int, None, false ipa_hbac_treat_deny_as = str, None, false ipa_hbac_support_srchost = bool, None, false ipa_host_object_class = str, None, false diff --git a/src/man/sssd-ipa.5.xml b/src/man/sssd-ipa.5.xml index 56220c3e..8630a5d6 100644 --- a/src/man/sssd-ipa.5.xml +++ b/src/man/sssd-ipa.5.xml @@ -316,6 +316,23 @@ </para> </listitem> </varlistentry> + + <varlistentry> + <term>ipa_hbac_selinux (integer)</term> + <listitem> + <para> + The amount of time between lookups of the SELinux + maps against the IPA server. This will reduce the + latency and load on the IPA server if there are + many user login requests made in a short + period. + </para> + <para> + Default: 5 (seconds) + </para> + </listitem> + </varlistentry> + <varlistentry> <term>ipa_hbac_treat_deny_as (string)</term> <listitem> diff --git a/src/providers/ipa/ipa_common.h b/src/providers/ipa/ipa_common.h index f077776b..e3915beb 100644 --- a/src/providers/ipa/ipa_common.h +++ b/src/providers/ipa/ipa_common.h @@ -47,6 +47,7 @@ enum ipa_basic_opt { IPA_MASTER_DOMAIN_SEARCH_BASE, IPA_KRB5_REALM, IPA_HBAC_REFRESH, + IPA_SELINUX_REFRESH, IPA_HBAC_DENY_METHOD, IPA_HBAC_SUPPORT_SRCHOST, IPA_AUTOMOUNT_LOCATION, diff --git a/src/providers/ipa/ipa_opts.h b/src/providers/ipa/ipa_opts.h index a2200d1b..7923b1ec 100644 --- a/src/providers/ipa/ipa_opts.h +++ b/src/providers/ipa/ipa_opts.h @@ -45,6 +45,7 @@ struct dp_option ipa_basic_opts[] = { { "ipa_master_domain_search_base", DP_OPT_STRING, NULL_STRING, NULL_STRING }, { "krb5_realm", DP_OPT_STRING, NULL_STRING, NULL_STRING}, { "ipa_hbac_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, + { "ipa_selinux_refresh", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER }, { "ipa_hbac_treat_deny_as", DP_OPT_STRING, { "DENY_ALL" }, NULL_STRING }, { "ipa_hbac_support_srchost", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE }, { "ipa_automount_location", DP_OPT_STRING, { "default" }, NULL_STRING }, diff --git a/src/providers/ipa/ipa_selinux.c b/src/providers/ipa/ipa_selinux.c index 489c203d..6705eea1 100644 --- a/src/providers/ipa/ipa_selinux.c +++ b/src/providers/ipa/ipa_selinux.c @@ -811,6 +811,7 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx, int ret = EOK; time_t now; time_t refresh_interval; + struct ipa_options *ipa_options = selinux_ctx->id_ctx->ipa_options; DEBUG(SSSDBG_TRACE_FUNC, ("Retrieving SELinux user mapping\n")); req = tevent_req_create(mem_ctx, &state, struct ipa_get_selinux_state); @@ -828,8 +829,8 @@ ipa_get_selinux_send(TALLOC_CTX *mem_ctx, offline ? "offline" : "online")); if (!offline) { - /* FIXME: Make the interval configurable */ - refresh_interval = 5; + refresh_interval = dp_opt_get_int(ipa_options->basic, + IPA_SELINUX_REFRESH); now = time(NULL); if (now < selinux_ctx->last_update + refresh_interval) { /* SELinux maps were recently updated -> force offline */ |