Add sysadm_r to default SELinux user map order

It is a standard SELinux user role included in RHEL (like user_r, staff_r, guest_r) and used quite often. Fixes: https://pagure.io/freeipa/issue/7658 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2024-12-23 07:33:27 -06:00 · 2018-11-09 17:30:32 +01:00 · 2018-11-09 17:30:32 +01:00 · 044ffe0dd0
commit 044ffe0dd0
parent 60a31d3f0e
3 changed files with 8 additions and 4 deletions
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@ -411,7 +411,7 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 ipaConfigString: KDC:Disable Last Success
-ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
+ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$sysadm_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023

 dn: cn=cosTemplates,cn=accounts,$SUFFIX
--- a/install/ui/test/data/ipa_init.json
+++ b/install/ui/test/data/ipa_init.json
@ -36,7 +36,7 @@
                  "ipausers"
               ],
               "ipaselinuxusermaporder" : [
-                  "guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"
+                  "guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"
               ],
               "ca_renewal_master_server" : [
                  "vm.example.com"
--- a/ipatests/test_xmlrpc/test_config_plugin.py
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
@ -148,8 +148,12 @@ class test_config(Declarative):

        dict(
            desc='Try to set new selinux order and invalid default user',
-            command=('config_mod', [],
-                dict(ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
+            command=(
+                'config_mod', [],
+                dict(
+                    ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0'
+                    u'$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023'
+                    u'$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
                    ipaselinuxusermapdefault=u'unknown_u:s0')),
            expected=errors.ValidationError(name='ipaselinuxusermapdefault',
                error='SELinux user map default user not in order list'),