Add SELinux user mapping framework.

This will allow one to define what SELinux context a given user gets on a given machine. A rule can contain a set of users and hosts or it can point to an existing HBAC rule that defines them. https://fedorahosted.org/freeipa/ticket/755
2025-02-25 18:55:28 -06:00 · 2011-11-23 16:59:21 -05:00
parent a1c9e3618c
commit 55512dc938
14 changed files with 1309 additions and 4 deletions
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -47,6 +47,9 @@ Certificate Subject base: the configured certificate subject base,
 Password plug-in features: currently defines additional hashes that the
  password will generate (there may be other conditions).

+When setting the order list for mapping SELinux users you may need to
+quote the value so it isn't interpreted by the shell.
+
 EXAMPLES:

 Show basic server configuration:
@@ -66,6 +69,9 @@ EXAMPLES:

 Enable migration mode to make "ipa migrate-ds" command operational:
   ipa config-mod --enable-migration=TRUE
+
+ Define SELinux user map order:
+   ipa config-mod --ipaselinuxusermaporder='guest_u:s0$xguest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
 """)

 def validate_searchtimelimit(ugettext, limit):
@@ -83,7 +89,7 @@ class config(LDAPObject):
        'ipadefaultprimarygroup', 'ipadefaultemaildomain', 'ipasearchtimelimit',
        'ipasearchrecordslimit', 'ipausersearchfields', 'ipagroupsearchfields',
        'ipamigrationenabled', 'ipacertificatesubjectbase',
-        'ipapwdexpadvnotify',
+        'ipapwdexpadvnotify', 'ipaselinuxusermaporder', 'ipaselinuxusermapdefault',
    ]

    label = _('Configuration')
@@ -172,6 +178,14 @@ class config(LDAPObject):
            doc=_('Extra hashes to generate in password plug-in'),
            flags=['no_update'],
        ),
+        Str('ipaselinuxusermaporder?',
+            label=_('SELinux user map order'),
+            doc=_('Order in increasing priority of SELinux users, delimited by $'),
+        ),
+        Str('ipaselinuxusermapdefault?',
+            label=_('Default SELinux user'),
+            doc=_('Default SELinux user when no match is found in SELinux map rule'),
+        ),
    )

    def get_dn(self, *keys, **kwargs):
@@ -228,6 +242,31 @@ class config_mod(LDAPUpdate):
                                error=_('%s default attribute %s would not be allowed!') \
                                % (obj, obj_attr))

+        if 'ipaselinuxusermapdefault' in options and options['ipaselinuxusermapdefault'] is None:
+            raise errors.ValidationError(name='ipaselinuxusermapdefault',
+                error=_('SELinux user map default user may not be empty'))
+
+        # Make sure the default user is in the list
+        if 'ipaselinuxusermapdefault' in options or \
+          'ipaselinuxusermaporder' in options:
+            config = None
+            if 'ipaselinuxusermapdefault' in options:
+                defaultuser = options['ipaselinuxusermapdefault']
+            else:
+                config = ldap.get_ipa_config()[1]
+                defaultuser = config['ipaselinuxusermapdefault']
+
+            if 'ipaselinuxusermaporder' in options:
+                order = options['ipaselinuxusermaporder']
+            else:
+                if not config:
+                    config = ldap.get_ipa_config()[1]
+                order = config['ipaselinuxusermaporder']
+            userlist = order[0].split('$')
+            if defaultuser not in userlist:
+                raise errors.ValidationError(name='ipaselinuxusermaporder',
+                    error=_('Default SELinux user map default user not in order list'))
+
        return dn

 api.register(config_mod)