IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Make use of single configuration point for SELinux

Browse Source 
For now, FreeIPA supports SELinux things as they are in RedHat/Fedora.
But different distributions may have their own SELinux customizations.

This moves SELinux configuration out to platform constants:
- SELINUX_MCS_MAX
- SELINUX_MCS_REGEX
- SELINUX_MLS_MAX
- SELINUX_MLS_REGEX
- SELINUX_USER_REGEX
- SELINUX_USERMAP_DEFAULT
- SELINUX_USERMAP_ORDER

and applies corresponding changes to the test code.

Fixes: https://pagure.io/freeipa/issue/7996
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Stanislav Levin
2019-06-27 11:52:40 +03:00
committed by Alexander Bokovoy
parent 215e8f768c
commit b2acd65013
11 changed files with 147 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
install/share/bootstrap-template.ldif
View File

@@ -426,8 +426,8 @@ ipaDefaultEmailDomain: $DOMAIN
ipaMigrationEnabled: FALSE ipaMigrationEnabled: FALSE
ipaConfigString: AllowNThash ipaConfigString: AllowNThash
ipaConfigString: KDC:Disable Last Success ipaConfigString: KDC:Disable Last Success
ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$sysadm_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 ipaSELinuxUserMapOrder: $SELINUX_USERMAP_ORDER
ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023 ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
dn: cn=cosTemplates,cn=accounts,$SUFFIX dn: cn=cosTemplates,cn=accounts,$SUFFIX
changetype: add changetype: add

2
install/updates/50-ipaconfig.update
View File

@@ -1,7 +1,7 @@
dn: cn=ipaConfig,cn=etc,$SUFFIX dn: cn=ipaConfig,cn=etc,$SUFFIX
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023 add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
add:ipaUserObjectClasses: ipasshuser add:ipaUserObjectClasses: ipasshuser
remove:ipaConfigString:AllowLMhash remove:ipaConfigString:AllowLMhash
add:objectClass: ipaUserAuthTypeClass add:objectClass: ipaUserAuthTypeClass

14
ipaplatform/base/constants.py
View File

@@ -54,6 +54,20 @@ class BaseConstantsNamespace:
'samba_share_nfs': 'on', 'samba_share_nfs': 'on',
}, },
} }
SELINUX_MCS_MAX = 1023
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
SELINUX_MLS_MAX = 15
SELINUX_MLS_REGEX = r"^s(\d+)(-s(\d+))?$"
SELINUX_USER_REGEX = r"^[a-zA-Z][a-zA-Z_\.]*$"
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
SELINUX_USERMAP_ORDER = (
"guest_u:s0"
"$$xguest_u:s0"
"$$user_u:s0"
"$$staff_u:s0-s0:c0.c1023"
"$$sysadm_u:s0-s0:c0.c1023"
"$$unconfined_u:s0-s0:c0.c1023"
)
SSSD_USER = "sssd" SSSD_USER = "sssd"
# WSGI module override, only used on Fedora # WSGI module override, only used on Fedora
MOD_WSGI_PYTHON2 = None MOD_WSGI_PYTHON2 = None

2
ipaserver/install/dsinstance.py
View File

@@ -521,6 +521,8 @@ class DsInstance(service.Service):
' '.join(replication.TOTAL_EXCLUDES), ' '.join(replication.TOTAL_EXCLUDES),
DEFAULT_SHELL=platformconstants.DEFAULT_SHELL, DEFAULT_SHELL=platformconstants.DEFAULT_SHELL,
DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL, DEFAULT_ADMIN_SHELL=platformconstants.DEFAULT_ADMIN_SHELL,
SELINUX_USERMAP_DEFAULT=platformconstants.SELINUX_USERMAP_DEFAULT,
SELINUX_USERMAP_ORDER=platformconstants.SELINUX_USERMAP_ORDER,
) )
def __create_instance(self): def __create_instance(self):

4
ipaserver/install/ldapupdate.py
View File

@@ -40,6 +40,7 @@ from ipapython import ipautil, ipaldap
from ipalib import errors from ipalib import errors
from ipalib import api, create_api from ipalib import api, create_api
from ipalib import constants from ipalib import constants
from ipaplatform.constants import constants as platformconstants
from ipaplatform.paths import paths from ipaplatform.paths import paths
from ipapython.dn import DN from ipapython.dn import DN
@@ -318,6 +319,9 @@ class LDAPUpdate:
if not self.sub_dict.get("TOTAL_EXCLUDES"): if not self.sub_dict.get("TOTAL_EXCLUDES"):
self.sub_dict["TOTAL_EXCLUDES"] = "(objectclass=*) $ EXCLUDE " + \ self.sub_dict["TOTAL_EXCLUDES"] = "(objectclass=*) $ EXCLUDE " + \
" ".join(constants.REPL_AGMT_TOTAL_EXCLUDES) " ".join(constants.REPL_AGMT_TOTAL_EXCLUDES)
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
platformconstants.SELINUX_USERMAP_DEFAULT
self.api = create_api(mode=None) self.api = create_api(mode=None)
self.api.bootstrap(in_server=True, self.api.bootstrap(in_server=True,
context='updates', context='updates',

60
ipaserver/plugins/selinuxusermap.py
View File

@@ -37,6 +37,7 @@ from ipalib import _, ngettext
from ipalib import output from ipalib import output
from .hbacrule import is_all from .hbacrule import is_all
from ipapython.dn import DN from ipapython.dn import DN
from ipaplatform.constants import constants as platformconstants
__doc__ = _(""" __doc__ = _("""
SELinux User Mapping SELinux User Mapping
@@ -92,37 +93,62 @@ def validate_selinuxuser(ugettext, user):
""" """
An SELinux user has 3 components: user:MLS:MCS. user and MLS are required. An SELinux user has 3 components: user:MLS:MCS. user and MLS are required.
user traditionally ends with _u but this is not mandatory. user traditionally ends with _u but this is not mandatory.
The regex is ^[a-zA-Z][a-zA-Z_\.]* The regex is {name}
The MLS part can only be: The MLS part can only be:
Level: s[0-15](-s[0-15]) Level: {mls}
MaxLevel: {mls_max}
Then MCS could be c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Then MCS could be {mcs}
Meaning MaxCat: {mcs_max}
s0 s0-s1 s0-s15:c0.c1023 s0-s1:c0,c2,c15.c26 s0-s0:c0.c1023
Returns a message on invalid, returns nothing on valid. Returns a message on invalid, returns nothing on valid.
""" """.format(
regex_name = re.compile(r'^[a-zA-Z][a-zA-Z_\.]*$') name=platformconstants.SELINUX_USER_REGEX,
regex_mls = re.compile(r'^s[0-9][1-5]{0,1}(-s[0-9][1-5]{0,1}){0,1}$') mls=platformconstants.SELINUX_MLS_REGEX,
regex_mcs = re.compile(r'^c(\d+)([.,-]c(\d+))*?$') mls_max=platformconstants.SELINUX_MLS_MAX,
mcs=platformconstants.SELINUX_MCS_REGEX,
mcs_max=platformconstants.SELINUX_MCS_MAX,
)
SELINUX_MCS_MAX = platformconstants.SELINUX_MCS_MAX
SELINUX_MCS_REGEX = platformconstants.SELINUX_MCS_REGEX
SELINUX_MLS_MAX = platformconstants.SELINUX_MLS_MAX
SELINUX_MLS_REGEX = platformconstants.SELINUX_MLS_REGEX
SELINUX_USER_REGEX = platformconstants.SELINUX_USER_REGEX
regex_name = re.compile(SELINUX_USER_REGEX)
regex_mls = re.compile(SELINUX_MLS_REGEX)
regex_mcs = re.compile(SELINUX_MCS_REGEX)
# If we add in ::: we don't have to check to see if some values are # If we add in ::: we don't have to check to see if some values are
# empty # empty
(name, mls, mcs, _ignore) = (user + ':::').split(':', 3) (name, mls, mcs, _ignore) = (user + ':::').split(':', 3)
if not regex_name.match(name): if not regex_name.match(name):
return _('Invalid SELinux user name, only a-Z, _ and . are allowed') return _('Invalid SELinux user name, must match {}').format(
if not mls or not regex_mls.match(mls): SELINUX_USER_REGEX)
return _('Invalid MLS value, must match s[0-15](-s[0-15])')
m = regex_mcs.match(mcs) def _validate_level(level, level_regex, upper_limit):
if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))): if not level_regex.match(level):
return _('Invalid MCS value, must match c[0-1023].c[0-1023] ' return False
'and/or c[0-1023]-c[0-c0123]')
for m in re.finditer(r'\d+', level):
if int(m.group()) > upper_limit:
return False
return True
if not mls or not _validate_level(mls, regex_mls, SELINUX_MLS_MAX):
return _(
'Invalid MLS value, must match {mls}, where max level '
'{mls_max}').format(mls=SELINUX_MLS_REGEX, mls_max=SELINUX_MLS_MAX)
if mcs and not _validate_level(mcs, regex_mcs, SELINUX_MCS_MAX):
return _(
'Invalid MCS value, must match {mcs}, where max category '
'{mcs_max}').format(mcs=SELINUX_MCS_REGEX, mcs_max=SELINUX_MCS_MAX)
return None return None
def validate_selinuxuser_inlist(ldap, user): def validate_selinuxuser_inlist(ldap, user):
""" """
Ensure the user is in the list of allowed SELinux users. Ensure the user is in the list of allowed SELinux users.

3
ipatests/test_integration/test_winsyncmigrate.py
View File

@@ -59,6 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
ipa_group = 'ipa_group' ipa_group = 'ipa_group'
ad_user = 'testuser' ad_user = 'testuser'
default_shell = platformconstants.DEFAULT_SHELL default_shell = platformconstants.DEFAULT_SHELL
selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
test_role = 'test_role' test_role = 'test_role'
test_hbac_rule = 'test_hbac_rule' test_hbac_rule = 'test_hbac_rule'
test_selinux_map = 'test_selinux_map' test_selinux_map = 'test_selinux_map'
@@ -102,7 +103,7 @@ class TestWinsyncMigrate(IntegrationTest):
cls.master.run_command(['ipa', 'hbacrule-add', cls.test_hbac_rule]) cls.master.run_command(['ipa', 'hbacrule-add', cls.test_hbac_rule])
cls.master.run_command([ cls.master.run_command([
'ipa', 'selinuxusermap-add', cls.test_selinux_map, 'ipa', 'selinuxusermap-add', cls.test_selinux_map,
'--selinuxuser', 'guest_u:s0']) '--selinuxuser', cls.selinuxuser])
@classmethod @classmethod
def setup_user_memberships(cls, user): def setup_user_memberships(cls, user):

38
ipatests/test_webui/data_selinuxusermap.py
View File

@@ -2,6 +2,19 @@
# Copyright (C) 2018 FreeIPA Contributors see COPYING for license # Copyright (C) 2018 FreeIPA Contributors see COPYING for license
# #
from ipaplatform.constants import constants as platformconstants
# for example, user_u:s0
selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
second_mls_level = 's{}'.format(list(range(0, selinux_mls_max + 1))[0])
second_mcs_level = 'c{}'.format(list(range(0, selinux_mcs_max + 1))[0])
mcs_range = '{0}.{0}'.format(second_mcs_level)
ENTITY = 'selinuxusermap' ENTITY = 'selinuxusermap'
PKEY = 'itest-selinuxusermap' PKEY = 'itest-selinuxusermap'
@@ -9,7 +22,7 @@ DATA = {
'pkey': PKEY, 'pkey': PKEY,
'add': [ 'add': [
('textbox', 'cn', PKEY), ('textbox', 'cn', PKEY),
('textbox', 'ipaselinuxuser', 'user_u:s0'), ('textbox', 'ipaselinuxuser', selinuxuser1),
], ],
'mod': [ 'mod': [
('textarea', 'description', 'itest-selinuxusermap desc'), ('textarea', 'description', 'itest-selinuxusermap desc'),
@@ -21,7 +34,7 @@ DATA2 = {
'pkey': PKEY2, 'pkey': PKEY2,
'add': [ 'add': [
('textbox', 'cn', PKEY2), ('textbox', 'cn', PKEY2),
('textbox', 'ipaselinuxuser', 'unconfined_u:s0-s0:c0.c1023'), ('textbox', 'ipaselinuxuser', selinuxuser2),
], ],
'mod': [ 'mod': [
('textarea', 'description', 'itest-selinuxusermap desc2'), ('textarea', 'description', 'itest-selinuxusermap desc2'),
@@ -33,7 +46,7 @@ DATA_MLS_RANGE = {
'pkey': PKEY_MLS_RANGE, 'pkey': PKEY_MLS_RANGE,
'add': [ 'add': [
('textbox', 'cn', PKEY_MLS_RANGE), ('textbox', 'cn', PKEY_MLS_RANGE),
('textbox', 'ipaselinuxuser', 'user_u:s0-s1'), ('textbox', 'ipaselinuxuser', 'foo:s0-{}'.format(second_mls_level)),
], ],
} }
@@ -42,7 +55,9 @@ DATA_MCS_RANGE = {
'pkey': PKEY_MCS_RANGE, 'pkey': PKEY_MCS_RANGE,
'add': [ 'add': [
('textbox', 'cn', PKEY_MCS_RANGE), ('textbox', 'cn', PKEY_MCS_RANGE),
('textbox', 'ipaselinuxuser', 'user_u:s0-s15:c0.c1023'), ('textbox', 'ipaselinuxuser',
'foo:s0-s{}:c0.c{}'.format(selinux_mls_max, selinux_mcs_max)
),
], ],
} }
@@ -51,7 +66,10 @@ DATA_MCS_COMMAS = {
'pkey': PKEY_MCS_COMMAS, 'pkey': PKEY_MCS_COMMAS,
'add': [ 'add': [
('textbox', 'cn', PKEY_MCS_COMMAS), ('textbox', 'cn', PKEY_MCS_COMMAS),
('textbox', 'ipaselinuxuser', 'user_u:s0-s1:c0,c2,c15.c26'), ('textbox', 'ipaselinuxuser',
'foo:s0-{}:c0,{},{}'.format(
second_mls_level, second_mcs_level, mcs_range),
),
], ],
} }
@@ -60,7 +78,9 @@ DATA_MLS_SINGLE_VAL = {
'pkey': PKEY_MLS_SINGLE_VAL, 'pkey': PKEY_MLS_SINGLE_VAL,
'add': [ 'add': [
('textbox', 'cn', PKEY_MLS_SINGLE_VAL), ('textbox', 'cn', PKEY_MLS_SINGLE_VAL),
('textbox', 'ipaselinuxuser', 'user_u:s0-s0:c0.c1023'), ('textbox', 'ipaselinuxuser',
'foo:s0-s0:c0.c{}'.format(selinux_mcs_max)
),
], ],
} }
@@ -69,7 +89,7 @@ DATA_NON_EXIST_SEUSER = {
'pkey': PKEY_NON_EXIST_SEUSER, 'pkey': PKEY_NON_EXIST_SEUSER,
'add': [ 'add': [
('textbox', 'cn', PKEY_NON_EXIST_SEUSER), ('textbox', 'cn', PKEY_NON_EXIST_SEUSER),
('textbox', 'ipaselinuxuser', 'abc:s0'), ('textbox', 'ipaselinuxuser', 'foo:s0'),
], ],
} }
@@ -78,7 +98,7 @@ DATA_INVALID_MCS = {
'pkey': PKEY_INVALID_MCS, 'pkey': PKEY_INVALID_MCS,
'add': [ 'add': [
('textbox', 'cn', PKEY_INVALID_MCS), ('textbox', 'cn', PKEY_INVALID_MCS),
('textbox', 'ipaselinuxuser', 'user:s0:c'), ('textbox', 'ipaselinuxuser', 'foo:s0:c'),
], ],
} }
@@ -87,7 +107,7 @@ DATA_INVALID_MLS = {
'pkey': PKEY_INVALID_MLS, 'pkey': PKEY_INVALID_MLS,
'add': [ 'add': [
('textbox', 'cn', PKEY_INVALID_MLS), ('textbox', 'cn', PKEY_INVALID_MLS),
('textbox', 'ipaselinuxuser', 'user'), ('textbox', 'ipaselinuxuser', 'foo'),
], ],
} }

13
ipatests/test_webui/test_selinuxusermap.py
View File

@@ -21,6 +21,7 @@
SELinux user map tests SELinux user map tests
""" """
from ipaplatform.constants import constants as platformconstants
from ipatests.test_webui.ui_driver import UI_driver from ipatests.test_webui.ui_driver import UI_driver
from ipatests.test_webui.ui_driver import screenshot from ipatests.test_webui.ui_driver import screenshot
import ipatests.test_webui.data_user as user import ipatests.test_webui.data_user as user
@@ -41,10 +42,14 @@ RULE_ALR_EXIST = 'SELinux User Map rule with name "{}" already exists'
RULE_UPDATED = 'SELinux User Map {} updated' RULE_UPDATED = 'SELinux User Map {} updated'
RULE_ADDED = 'SELinux User Map successfully added' RULE_ADDED = 'SELinux User Map successfully added'
INVALID_SEUSER = 'SELinux user {} not found in ordering list (in config)' INVALID_SEUSER = 'SELinux user {} not found in ordering list (in config)'
INVALID_MCS = ("invalid 'selinuxuser': Invalid MCS value, must match c[0-1023]" INVALID_MCS = ("invalid 'selinuxuser': Invalid MCS value, must match {}, "
".c[0-1023] and/or c[0-1023]-c[0-c0123]") "where max category {}").format(
INVALID_MLS = ("invalid 'selinuxuser': Invalid MLS value, must match " platformconstants.SELINUX_MCS_REGEX,
"s[0-15](-s[0-15])") platformconstants.SELINUX_MCS_MAX)
INVALID_MLS = ("invalid 'selinuxuser': Invalid MLS value, must match {}, "
"where max level {}").format(
platformconstants.SELINUX_MLS_REGEX,
platformconstants.SELINUX_MLS_MAX)
HBAC_DEL_ERR = ('{} cannot be deleted because SELinux User Map {} requires ' HBAC_DEL_ERR = ('{} cannot be deleted because SELinux User Map {} requires '
'it') 'it')
HBAC_MEMBER_ERR = 'HBAC rule and local members cannot both be set' HBAC_MEMBER_ERR = 'HBAC rule and local members cannot both be set'

21
ipatests/test_xmlrpc/test_config_plugin.py
View File

@@ -23,6 +23,7 @@ Test the `ipaserver/plugins/config.py` module.
""" """
from ipalib import api, errors from ipalib import api, errors
from ipaplatform.constants import constants as platformconstants
from ipatests.test_xmlrpc.xmlrpc_test import Declarative from ipatests.test_xmlrpc.xmlrpc_test import Declarative
import pytest import pytest
@@ -109,8 +110,11 @@ class test_config(Declarative):
desc='Try to set invalid ipaselinuxusermapdefault', desc='Try to set invalid ipaselinuxusermapdefault',
command=('config_mod', [], command=('config_mod', [],
dict(ipaselinuxusermapdefault=u'foo')), dict(ipaselinuxusermapdefault=u'foo')),
expected=errors.ValidationError(name='ipaselinuxusermapdefault', expected=errors.ValidationError(
error='Invalid MLS value, must match s[0-15](-s[0-15])'), name='ipaselinuxusermapdefault',
error='Invalid MLS value, must match {}, where max level '
'{}'.format(platformconstants.SELINUX_MLS_REGEX,
platformconstants.SELINUX_MLS_MAX)),
), ),
dict( dict(
@@ -140,10 +144,13 @@ class test_config(Declarative):
dict( dict(
desc='Try to set invalid selinux user in ipaselinuxusermaporder', desc='Try to set invalid selinux user in ipaselinuxusermaporder',
command=('config_mod', [], command=('config_mod', [],
dict(ipaselinuxusermaporder=u'unconfined_u:s0-s0:c0.c1023$baduser$guest_u:s0')), dict(ipaselinuxusermaporder=u'baduser')),
expected=errors.ValidationError(name='ipaselinuxusermaporder', expected=errors.ValidationError(
name='ipaselinuxusermaporder',
error='SELinux user \'baduser\' is not valid: Invalid MLS ' error='SELinux user \'baduser\' is not valid: Invalid MLS '
'value, must match s[0-15](-s[0-15])'), 'value, must match {}, where max level {}'.format(
platformconstants.SELINUX_MLS_REGEX,
platformconstants.SELINUX_MLS_MAX)),
), ),
dict( dict(
@@ -151,9 +158,7 @@ class test_config(Declarative):
command=( command=(
'config_mod', [], 'config_mod', [],
dict( dict(
ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0' ipaselinuxusermaporder=u'foo:s0',
u'$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023'
u'$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
ipaselinuxusermapdefault=u'unknown_u:s0')), ipaselinuxusermapdefault=u'unknown_u:s0')),
expected=errors.ValidationError(name='ipaselinuxusermapdefault', expected=errors.ValidationError(name='ipaselinuxusermapdefault',
error='SELinux user map default user not in order list'), error='SELinux user map default user not in order list'),

44
ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
View File

@@ -21,6 +21,8 @@ Test the `ipaserver/plugins/selinuxusermap.py` module.
""" """
from ipalib import api, errors from ipalib import api, errors
from ipaplatform.constants import constants as platformconstants
from ipatests.test_xmlrpc import objectclasses from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits, from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
fuzzy_uuid) fuzzy_uuid)
@@ -30,8 +32,16 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
import pytest import pytest
rule1 = u'selinuxrule1' rule1 = u'selinuxrule1'
selinuxuser1 = u'guest_u:s0' selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
selinuxuser2 = u'xguest_u:s0' selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
platformconstants.SELINUX_MCS_REGEX,
platformconstants.SELINUX_MCS_MAX)
INVALID_MLS = "Invalid MLS value, must match {}, where max level {}".format(
platformconstants.SELINUX_MLS_REGEX,
platformconstants.SELINUX_MLS_MAX)
user1 = u'tuser1' user1 = u'tuser1'
group1 = u'testgroup1' group1 = u'testgroup1'
@@ -623,44 +633,46 @@ class test_selinuxusermap(Declarative):
), ),
expected=errors.ValidationError( expected=errors.ValidationError(
name='selinuxuser', name='selinuxuser',
error=u'Invalid SELinux user name, only a-Z, _ ' error=u'Invalid SELinux user name, must match {}'.format(
'and . are allowed' platformconstants.SELINUX_USER_REGEX)
), ),
), ),
dict( dict(
desc='Create rule with invalid MCS xguest_u:s999', desc='Create rule with invalid MLS foo:s{}'.format(
platformconstants.SELINUX_MLS_MAX + 1),
command=( command=(
'selinuxusermap_add', [rule1], 'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s999') dict(ipaselinuxuser=u'foo:s{}'.format(
platformconstants.SELINUX_MLS_MAX + 1))
), ),
expected=errors.ValidationError(name='selinuxuser', expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), error=INVALID_MLS),
), ),
dict( dict(
desc='Create rule with invalid MLS xguest_u:s0:p88', desc='Create rule with invalid MCS foo:s0:p88',
command=( command=(
'selinuxusermap_add', [rule1], 'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s0:p88') dict(ipaselinuxuser=u'foo:s0:p88')
), ),
expected=errors.ValidationError(name='selinuxuser', expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + error=INVALID_MCS),
u'and/or c[0-1023]-c[0-c0123]'),
), ),
dict( dict(
desc='Create rule with invalid MLS xguest_u:s0:c0.c1028', desc='Create rule with invalid MCS foo:s0:c0.c{}'.format(
platformconstants.SELINUX_MCS_MAX + 1),
command=( command=(
'selinuxusermap_add', [rule1], 'selinuxusermap_add', [rule1],
dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028') dict(ipaselinuxuser=u'foo:s0-s0:c0.c{}'.format(
platformconstants.SELINUX_MCS_MAX + 1))
), ),
expected=errors.ValidationError(name='selinuxuser', expected=errors.ValidationError(name='selinuxuser',
error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + error=INVALID_MCS),
u'and/or c[0-1023]-c[0-c0123]'),
), ),
@@ -671,7 +683,7 @@ class test_selinuxusermap(Declarative):
dict(setattr=u'ipaselinuxuser=deny') dict(setattr=u'ipaselinuxuser=deny')
), ),
expected=errors.ValidationError(name='ipaselinuxuser', expected=errors.ValidationError(name='ipaselinuxuser',
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), error=INVALID_MLS),
), ),
dict( dict(