Make use of single configuration point for SELinux

For now, FreeIPA supports SELinux things as they are in RedHat/Fedora. But different distributions may have their own SELinux customizations. This moves SELinux configuration out to platform constants: - SELINUX_MCS_MAX - SELINUX_MCS_REGEX - SELINUX_MLS_MAX - SELINUX_MLS_REGEX - SELINUX_USER_REGEX - SELINUX_USERMAP_DEFAULT - SELINUX_USERMAP_ORDER and applies corresponding changes to the test code. Fixes: https://pagure.io/freeipa/issue/7996 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-06-27 11:52:40 +03:00
parent 215e8f768c
commit b2acd65013
11 changed files with 147 additions and 58 deletions
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -54,6 +54,20 @@ class BaseConstantsNamespace:
            'samba_share_nfs': 'on',
        },
    }
+    SELINUX_MCS_MAX = 1023
+    SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
+    SELINUX_MLS_MAX = 15
+    SELINUX_MLS_REGEX = r"^s(\d+)(-s(\d+))?$"
+    SELINUX_USER_REGEX = r"^[a-zA-Z][a-zA-Z_\.]*$"
+    SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
+    SELINUX_USERMAP_ORDER = (
+        "guest_u:s0"
+        "$$xguest_u:s0"
+        "$$user_u:s0"
+        "$$staff_u:s0-s0:c0.c1023"
+        "$$sysadm_u:s0-s0:c0.c1023"
+        "$$unconfined_u:s0-s0:c0.c1023"
+    )
    SSSD_USER = "sssd"
    # WSGI module override, only used on Fedora
    MOD_WSGI_PYTHON2 = None