diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update index 23d2919db..18501cb7b 100644 --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -1,5 +1,5 @@ dn: cn=ipaConfig,cn=etc,$SUFFIX -add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 +replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023 add:ipaUserObjectClasses: ipasshuser remove:ipaConfigString:AllowLMhash diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index 7a4d7b995..9d20818b2 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -133,3 +133,34 @@ class TestIPACommand(IntegrationTest): tasks.ldappasswd_sysaccount_change(sysuser, original_passwd, new_passwd, master) + + def test_change_selinuxusermaporder(self): + """ + An update file meant to ensure a more sane default was + overriding any customization done to the order. + """ + maporder = "unconfined_u:s0-s0:c0.c1023" + + # set a new default + result = self.master.run_command( + ["ipa", "config-mod", + "--ipaselinuxusermaporder={}".format(maporder)], + raiseonerr=False + ) + assert result.returncode == 0 + + # apply the update + result = self.master.run_command( + ["ipa-server-upgrade"], + raiseonerr=False + ) + assert result.returncode == 0 + + # ensure result is the same + result = self.master.run_command( + ["ipa", "config-show"], + raiseonerr=False + ) + assert result.returncode == 0 + assert "SELinux user map order: {}".format( + maporder) in result.stdout_text