Set SELinux default context to unconfined_u:s0-s0:c0.c1023

Don't require ipaselinuxdefaultuser to be set. If this is unset then SSSD will use the system default. https://fedorahosted.org/freeipa/ticket/3045
2025-01-26 16:16:31 -06:00 · 2012-09-10 17:07:54 -04:00 · 2012-09-10 17:07:54 -04:00 · 79b90d1465
commit 79b90d1465
parent 46f09fb8cc
3 changed files with 8 additions and 5 deletions
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@ -383,7 +383,7 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-ipaSELinuxUserMapDefault: guest_u:s0
+ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023

 dn: cn=cosTemplates,cn=accounts,$SUFFIX
 changetype: add
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@ -1,5 +1,5 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-add:ipaSELinuxUserMapDefault: guest_u:s0
+add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023

 add:ipaUserObjectClasses: ipasshuser
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@ -185,7 +185,7 @@ class config(LDAPObject):
            label=_('SELinux user map order'),
            doc=_('Order in increasing priority of SELinux users, delimited by $'),
        ),
-        Str('ipaselinuxusermapdefault',
+        Str('ipaselinuxusermapdefault?',
            label=_('Default SELinux user'),
            doc=_('Default SELinux user when no match is found in SELinux map rule'),
        ),
@ -274,7 +274,10 @@ class config_mod(LDAPUpdate):
                failedattr = 'ipaselinuxusermapdefault'
            else:
                config = ldap.get_ipa_config()[1]
-                defaultuser = config['ipaselinuxusermapdefault'][0]
+                if 'ipaselinuxusermapdefault' in config:
+                    defaultuser = config['ipaselinuxusermapdefault'][0]
+                else:
+                    defaultuser = None

            if 'ipaselinuxusermaporder' in validate:
                order = validate['ipaselinuxusermaporder']
@ -284,7 +287,7 @@ class config_mod(LDAPUpdate):
                    config = ldap.get_ipa_config()[1]
                order = config['ipaselinuxusermaporder']
                userlist = order[0].split('$')
-            if defaultuser not in userlist:
+            if defaultuser and defaultuser not in userlist:
                raise errors.ValidationError(name=failedattr,
                    error=_('SELinux user map default user not in order list'))