UI for SELinux user mapping

This patch adds UI for SELinux user mapping. Its design is based on HBAC Rule design.

https://fedorahosted.org/freeipa/ticket/2145
This commit is contained in:
Petr Voborník 2012-01-13 15:34:55 +01:00
parent 2c1f21a14b
commit d906fa50c1
20 changed files with 9130 additions and 2878 deletions

View File

@ -51,6 +51,7 @@ app_DATA = \
policy.js \ policy.js \
rule.js \ rule.js \
search.js \ search.js \
selinux.js \
serverconfig.js \ serverconfig.js \
service.js \ service.js \
sudo.js \ sudo.js \

View File

@ -205,7 +205,7 @@ IPA.hbacrule_details_facet = function(spec) {
{ {
type: 'enable', type: 'enable',
name: 'ipaenabledflag', name: 'ipaenabledflag',
priority: IPA.sudo.enable_priority, priority: IPA.hbac.enable_priority,
widget: 'general.ipaenabledflag' widget: 'general.ipaenabledflag'
} }
]; ];

View File

@ -35,6 +35,7 @@
<script type="text/javascript" src="host.js"></script> <script type="text/javascript" src="host.js"></script>
<script type="text/javascript" src="hostgroup.js"></script> <script type="text/javascript" src="hostgroup.js"></script>
<script type="text/javascript" src="netgroup.js"></script> <script type="text/javascript" src="netgroup.js"></script>
<script type="text/javascript" src="selinux.js"></script>
<script type="text/javascript" src="service.js"></script> <script type="text/javascript" src="service.js"></script>
<script type="text/javascript" src="serverconfig.js"></script> <script type="text/javascript" src="serverconfig.js"></script>
<script type="text/javascript" src="sudo.js"></script> <script type="text/javascript" src="sudo.js"></script>

View File

@ -147,6 +147,7 @@
+process host.js +process host.js
+process hostgroup.js +process hostgroup.js
+process netgroup.js +process netgroup.js
+process selinux.js
+process service.js +process service.js
+process serverconfig.js +process serverconfig.js
+process sudo.js +process sudo.js

291
install/ui/selinux.js Normal file
View File

@ -0,0 +1,291 @@
/*jsl:import ipa.js */
/* Authors:
* Petr Vobornik <pvoborni@redhat.com>
*
* Copyright (C) 2012 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/* REQUIRES: ipa.js, details.js, search.js, add.js, facet.js, entity.js */
IPA.selinux = {
remove_method_priority: IPA.config.default_priority - 1,
enable_priority: IPA.config.default_priority + 1
};
IPA.selinux.selinuxusermap_entity = function(spec) {
var that = IPA.entity(spec);
that.init = function() {
that.entity_init();
that.builder.search_facet({
search_all: true,
columns: [
'cn',
'ipaselinuxuser',
{
name: 'ipaenabledflag',
format: IPA.boolean_format()
},
'description'
]
}).
details_facet({
factory: IPA.selinux_details_facet,
entity: that,
command_mode: 'info'
}).
adder_dialog({
fields: [
'cn',
'ipaselinuxuser'
]
});
};
return that;
};
IPA.selinux_details_facet = function(spec) {
var entity_name = spec.entity.name;
//
// General
//
spec.fields = [
{
name: 'cn',
read_only: true,
widget: 'general.cn'
},
{
type: 'textarea',
name: 'description',
widget: 'general.description'
},
{
name: 'ipaselinuxuser',
widget: 'general.ipaselinuxuser'
},
{
type: 'entity_select',
name: 'seealso',
widget: 'general.seealso'
},
{
type: 'enable',
name: 'ipaenabledflag',
priority: IPA.selinux.enable_priority,
widget: 'general.ipaenabledflag'
}
];
spec.widgets = [
{
type: 'details_table_section',
name: 'general',
label: IPA.messages.details.general,
widgets: [
{
name: 'cn'
},
{
type: 'textarea',
name: 'description'
},
{
name: 'ipaselinuxuser',
widget: 'general.ipaselinuxuser'
},
{
type: 'entity_select',
name: 'seealso',
other_entity: 'hbacrule',
other_field: 'cn'
},
{
type: 'enable',
name: 'ipaenabledflag',
options: [
{ value: 'TRUE', label: IPA.get_message('true') },
{ value: 'FALSE', label: IPA.get_message('false') }
]
}
]
}
];
//
// Users
//
spec.fields.push(
{
type: 'radio',
name: 'usercategory',
widget: 'user.rule.usercategory'
},
{
type: 'rule_association_table',
name: 'memberuser_user',
widget: 'user.rule.memberuser_user',
priority: IPA.selinux.remove_method_priority
},
{
type: 'rule_association_table',
name: 'memberuser_group',
widget: 'user.rule.memberuser_group',
priority: IPA.selinux.remove_method_priority
}
);
spec.widgets.push(
{
factory: IPA.collapsible_section,
name: 'user',
label: IPA.messages.objects.selinuxusermap.user,
widgets: [
{
factory: IPA.rule_details_widget,
name: 'rule',
radio_name: 'usercategory',
options: [
{ value: 'all',
label: IPA.messages.objects.selinuxusermap.anyone },
{ value: '',
label: IPA.messages.objects.selinuxusermap.specified_users }
],
tables: [
{ name: 'memberuser_user' },
{ name: 'memberuser_group' }
],
widgets: [
{
type: 'rule_association_table',
id: entity_name+'-memberuser_user',
name: 'memberuser_user',
add_method: 'add_user',
remove_method: 'remove_user',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
},
{
type: 'rule_association_table',
id: entity_name+'-memberuser_group',
name: 'memberuser_group',
add_method: 'add_user',
remove_method: 'remove_user',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
}
]
}
]
}
);
//
// Hosts
//
spec.fields.push(
{
type: 'radio',
name: 'hostcategory',
widget: 'host.rule.hostcategory'
},
{
type: 'rule_association_table',
name: 'memberhost_host',
widget: 'host.rule.memberhost_host',
priority: IPA.selinux.remove_method_priority
},
{
type: 'rule_association_table',
name: 'memberhost_hostgroup',
widget: 'host.rule.memberhost_hostgroup',
priority: IPA.selinux.remove_method_priority
}
);
spec.widgets.push(
{
factory: IPA.collapsible_section,
name: 'host',
label: IPA.messages.objects.selinuxusermap.host,
widgets: [
{
factory: IPA.rule_details_widget,
name: 'rule',
radio_name: 'hostcategory',
options: [
{
'value': 'all',
'label': IPA.messages.objects.selinuxusermap.any_host
},
{
'value': '',
'label': IPA.messages.objects.selinuxusermap.specified_hosts
}
],
tables: [
{ 'name': 'memberhost_host' },
{ 'name': 'memberhost_hostgroup' }
],
widgets: [
{
type: 'rule_association_table',
id: entity_name+'-memberuser_user',
name: 'memberhost_host',
add_method: 'add_host',
remove_method: 'remove_host',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
},
{
type: 'rule_association_table',
id: entity_name+'-memberuser_group',
name: 'memberhost_hostgroup',
add_method: 'add_host',
remove_method: 'remove_host',
add_title: IPA.messages.association.add.member,
remove_title: IPA.messages.association.remove.member
}
]
}
]
}
);
var that = IPA.details_facet(spec);
that.update_on_success = function(data, text_status, xhr) {
that.refresh();
};
that.update_on_error = function(xhr, text_status, error_thrown) {
that.refresh();
};
return that;
};
IPA.register('selinuxusermap', IPA.selinux.selinuxusermap_entity);

View File

@ -281,6 +281,14 @@
"identity": "Role Settings" "identity": "Role Settings"
}, },
"selfservice": {}, "selfservice": {},
"selinuxusermap": {
"any_host": "Any Host",
"anyone": "Anyone",
"host": "Host",
"specified_hosts": "Specified Hosts and Groups",
"specified_users": "Specified Users and Groups",
"user": "User"
},
"service": { "service": {
"certificate": "Service Certificate", "certificate": "Service Certificate",
"delete_key_unprovision": "Delete Key, Unprovision", "delete_key_unprovision": "Delete Key, Unprovision",
@ -394,7 +402,7 @@
"cn": [ "cn": [
"Administrator" "Administrator"
], ],
"dn": "uid=admin,cn=users,cn=accounts,dc=example,dc=com", "dn": "uid=admin,cn=users,cn=accounts,dc=dev,dc=example,dc=com",
"gecos": [ "gecos": [
"Administrator" "Administrator"
], ],
@ -418,16 +426,13 @@
} }
], ],
"krblastpwdchange": [ "krblastpwdchange": [
"20110913052109Z" "20120110142413Z"
],
"krblastsuccessfulauth": [
"20110913053553Z"
], ],
"krbpasswordexpiration": [ "krbpasswordexpiration": [
"20111212052109Z" "20111212052109Z"
], ],
"krbprincipalname": [ "krbprincipalname": [
"admin@EXAMPLE.COM" "admin@DEV.EXAMPLE.COM"
], ],
"loginshell": [ "loginshell": [
"/bin/bash" "/bin/bash"
@ -460,10 +465,10 @@
"truncated": false "truncated": false
}, },
{ {
"count": 72, "count": 75,
"error": null, "error": null,
"result": { "result": {
"basedn": "dc=example,dc=com", "basedn": "dc=dev,dc=example,dc=com",
"bin": "/var/www", "bin": "/var/www",
"ca_agent_install_port": 9443, "ca_agent_install_port": 9443,
"ca_agent_port": 443, "ca_agent_port": 443,
@ -497,6 +502,7 @@
"container_privilege": "cn=privileges,cn=pbac", "container_privilege": "cn=privileges,cn=pbac",
"container_rolegroup": "cn=roles,cn=accounts", "container_rolegroup": "cn=roles,cn=accounts",
"container_roles": "cn=roles,cn=policies", "container_roles": "cn=roles,cn=policies",
"container_selinux": "cn=usermap,cn=selinux",
"container_service": "cn=services,cn=accounts", "container_service": "cn=services,cn=accounts",
"container_sudocmd": "cn=sudocmds,cn=sudo", "container_sudocmd": "cn=sudocmds,cn=sudo",
"container_sudocmdgroup": "cn=sudocmdgroups,cn=sudo", "container_sudocmdgroup": "cn=sudocmdgroups,cn=sudo",
@ -515,16 +521,17 @@
"in_tree": false, "in_tree": false,
"interactive": true, "interactive": true,
"ipalib": "/usr/lib/python2.7/site-packages/ipalib", "ipalib": "/usr/lib/python2.7/site-packages/ipalib",
"ldap_uri": "ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket", "ldap_uri": "ldapi://%2fvar%2frun%2fslapd-DEV-EXAMPLE-COM.socket",
"log": null, "log": null,
"logdir": "/var/log/ipa", "logdir": "/var/log/ipa",
"mode": "production", "mode": "production",
"mount_ipa": "/ipa/", "mount_ipa": "/ipa/",
"mount_jsonserver": "json", "mount_jsonserver": "json",
"mount_xmlserver": "xml", "mount_xmlserver": "xml",
"plugins_on_demand": false,
"prompt_all": false, "prompt_all": false,
"ra_plugin": "selfsign", "ra_plugin": "dogtag",
"realm": "EXAMPLE.COM", "realm": "DEV.EXAMPLE.COM",
"rpc_json_uri": "http://localhost:8888/ipa/json", "rpc_json_uri": "http://localhost:8888/ipa/json",
"script": "/var/www/mod_wsgi", "script": "/var/www/mod_wsgi",
"site_packages": "/usr/lib/python2.7/site-packages", "site_packages": "/usr/lib/python2.7/site-packages",
@ -536,8 +543,8 @@
"webui_prod": true, "webui_prod": true,
"xmlrpc_uri": "https://dev.example.com/ipa/xml" "xmlrpc_uri": "https://dev.example.com/ipa/xml"
}, },
"summary": "72 variables", "summary": "75 variables",
"total": 72 "total": 75
}, },
{ {
"error": null, "error": null,

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,35 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberhost": {
"host": [],
"hostgroup": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberhost_host": [
"dev.example.com"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

View File

@ -0,0 +1,38 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberuser": {
"group": [],
"user": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberhost_host": [
"dev.example.com"
],
"memberuser_group": [
"user-group"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

View File

@ -0,0 +1,47 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": "Modified SELinux User Map \"karel_unconfined\"",
"value": "karel_unconfined"
}
}

View File

@ -0,0 +1,17 @@
{
"error": null,
"id": null,
"result": {
"count": 1,
"result": [
{
"cn": [
"karel_unconfined"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com"
}
],
"summary": "1 SELinux User Map matched",
"truncated": false
}
}

View File

@ -0,0 +1,39 @@
{
"error": null,
"id": null,
"result": {
"count": 1,
"results": [
{
"error": null,
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": null,
"value": "karel_unconfined"
}
]
}
}

View File

@ -0,0 +1,47 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": "Modified SELinux User Map \"karel_unconfined\"",
"value": "karel_unconfined"
}
}

View File

@ -0,0 +1,35 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberhost": {
"host": [],
"hostgroup": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberuser_group": [
"user-group"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

View File

@ -0,0 +1,32 @@
{
"error": null,
"id": null,
"result": {
"completed": 1,
"failed": {
"memberuser": {
"group": [],
"user": []
}
},
"result": {
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"memberuser_user": [
"karel",
"admin"
]
}
}
}

View File

@ -0,0 +1,48 @@
{
"error": null,
"id": null,
"result": {
"result": {
"attributelevelrights": {
"accesstime": "rscwo",
"aci": "rscwo",
"cn": "rscwo",
"description": "rscwo",
"hostcategory": "rscwo",
"ipaenabledflag": "rscwo",
"ipaselinuxuser": "rscwo",
"ipauniqueid": "rsc",
"memberhost": "rscwo",
"memberuser": "rscwo",
"nsaccountlock": "rscwo",
"seealso": "rscwo",
"usercategory": "rscwo"
},
"cn": [
"karel_unconfined"
],
"description": [
"description"
],
"dn": "ipauniqueid=dbe2ffa0-3c2c-11e1-ad81-00163e6185c4,cn=usermap,cn=selinux,dc=dev,dc=example,dc=com",
"ipaenabledflag": [
"TRUE"
],
"ipaselinuxuser": [
"unconfined_u:s0-s0:c0.c1023"
],
"ipauniqueid": [
"dbe2ffa0-3c2c-11e1-ad81-00163e6185c4"
],
"memberuser_user": [
"karel"
],
"objectclass": [
"ipaassociation",
"ipaselinuxusermap"
]
},
"summary": null,
"value": "karel_unconfined"
}
}

View File

@ -67,7 +67,8 @@ IPA.admin_navigation = function(spec) {
{entity: 'automountmap', hidden: true}, {entity: 'automountmap', hidden: true},
{entity: 'automountkey', hidden: true}]}, {entity: 'automountkey', hidden: true}]},
{entity: 'pwpolicy'}, {entity: 'pwpolicy'},
{entity: 'krbtpolicy'} {entity: 'krbtpolicy'},
{entity: 'selinuxusermap'}
]}, ]},
{name: 'ipaserver', label: IPA.messages.tabs.ipaserver, children: [ {name: 'ipaserver', label: IPA.messages.tabs.ipaserver, children: [
{name: 'rolebased', label: IPA.messages.tabs.role, children: [ {name: 'rolebased', label: IPA.messages.tabs.role, children: [

View File

@ -420,6 +420,14 @@ class i18n_messages(Command):
}, },
"selfservice": { "selfservice": {
}, },
"selinuxusermap": {
"any_host": _("Any Host"),
"anyone": _("Anyone"),
"host": _("Host"),
"specified_hosts": _("Specified Hosts and Groups"),
"specified_users": _("Specified Users and Groups"),
"user": _("User"),
},
"service": { "service": {
"certificate": _("Service Certificate"), "certificate": _("Service Certificate"),
"delete_key_unprovision": _("Delete Key, Unprovision"), "delete_key_unprovision": _("Delete Key, Unprovision"),