mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Fix test_webui.test_selinuxusermap
A previous refactoring of SELinux tests has have a wrong assumption about the user field separator within ipaSELinuxUserMapOrder. That was '$$', but should be just '$'. Actually, '.ldif' and '.update' files are passed through Python template string substitution: > $$ is an escape; it is replaced with a single $. > $identifier names a substitution placeholder matching > a mapping key of "identifier" This means that the text to be substituted on should not be escaped. The wrong ipaSELinuxUserMapOrder previously set will be replaced on upgrade. Fixes: https://pagure.io/freeipa/issue/7996 Fixes: https://pagure.io/freeipa/issue/8005 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Stanislav Levin
Alexander Bokovoy
parent
be7f54d40c
commit
ac1ea0ec67
@ -1,4 +1,5 @@
|
|||||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||||
|
replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
|
||||||
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||||
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
||||||
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
|
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
|
||||||
|
|||||||
@ -62,11 +62,11 @@ class BaseConstantsNamespace:
|
|||||||
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
|
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
|
||||||
SELINUX_USERMAP_ORDER = (
|
SELINUX_USERMAP_ORDER = (
|
||||||
"guest_u:s0"
|
"guest_u:s0"
|
||||||
"$$xguest_u:s0"
|
"$xguest_u:s0"
|
||||||
"$$user_u:s0"
|
"$user_u:s0"
|
||||||
"$$staff_u:s0-s0:c0.c1023"
|
"$staff_u:s0-s0:c0.c1023"
|
||||||
"$$sysadm_u:s0-s0:c0.c1023"
|
"$sysadm_u:s0-s0:c0.c1023"
|
||||||
"$$unconfined_u:s0-s0:c0.c1023"
|
"$unconfined_u:s0-s0:c0.c1023"
|
||||||
)
|
)
|
||||||
SSSD_USER = "sssd"
|
SSSD_USER = "sssd"
|
||||||
# WSGI module override, only used on Fedora
|
# WSGI module override, only used on Fedora
|
||||||
|
|||||||
@ -322,6 +322,9 @@ class LDAPUpdate:
|
|||||||
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
|
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
|
||||||
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
|
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
|
||||||
platformconstants.SELINUX_USERMAP_DEFAULT
|
platformconstants.SELINUX_USERMAP_DEFAULT
|
||||||
|
if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
|
||||||
|
self.sub_dict["SELINUX_USERMAP_ORDER"] = \
|
||||||
|
platformconstants.SELINUX_USERMAP_ORDER
|
||||||
self.api = create_api(mode=None)
|
self.api = create_api(mode=None)
|
||||||
self.api.bootstrap(in_server=True,
|
self.api.bootstrap(in_server=True,
|
||||||
context='updates',
|
context='updates',
|
||||||
|
|||||||
@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
|
|||||||
ipa_group = 'ipa_group'
|
ipa_group = 'ipa_group'
|
||||||
ad_user = 'testuser'
|
ad_user = 'testuser'
|
||||||
default_shell = platformconstants.DEFAULT_SHELL
|
default_shell = platformconstants.DEFAULT_SHELL
|
||||||
selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
||||||
test_role = 'test_role'
|
test_role = 'test_role'
|
||||||
test_hbac_rule = 'test_hbac_rule'
|
test_hbac_rule = 'test_hbac_rule'
|
||||||
test_selinux_map = 'test_selinux_map'
|
test_selinux_map = 'test_selinux_map'
|
||||||
|
|||||||
@ -5,8 +5,8 @@
|
|||||||
from ipaplatform.constants import constants as platformconstants
|
from ipaplatform.constants import constants as platformconstants
|
||||||
|
|
||||||
# for example, user_u:s0
|
# for example, user_u:s0
|
||||||
selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
||||||
selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
|
selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
|
||||||
|
|
||||||
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
|
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
|
||||||
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
|
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
|
||||||
|
|||||||
@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
|
|||||||
import pytest
|
import pytest
|
||||||
|
|
||||||
rule1 = u'selinuxrule1'
|
rule1 = u'selinuxrule1'
|
||||||
selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
||||||
selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
|
selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
|
||||||
|
|
||||||
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
|
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
|
||||||
platformconstants.SELINUX_MCS_REGEX,
|
platformconstants.SELINUX_MCS_REGEX,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user