From f976f6cfd8d3ca1f9bff822278086df1f999fdbe Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 1 Jun 2018 15:19:35 -0400
Subject: [PATCH] Use replace instead of add to set new default
 ipaSELinuxUserMapOrder

The add was in effect replacing whatever data was already there
causing any custom order to be lost on each run of
ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
 install/updates/50-ipaconfig.update        |  2 +-
 ipatests/test_integration/test_commands.py | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 23d2919db..18501cb7b 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,5 +1,5 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
-add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
+replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 add:ipaUserObjectClasses: ipasshuser
 remove:ipaConfigString:AllowLMhash
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 7a4d7b995..9d20818b2 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -133,3 +133,34 @@ class TestIPACommand(IntegrationTest):
 
         tasks.ldappasswd_sysaccount_change(sysuser, original_passwd,
                                            new_passwd, master)
+
+    def test_change_selinuxusermaporder(self):
+        """
+        An update file meant to ensure a more sane default was
+        overriding any customization done to the order.
+        """
+        maporder = "unconfined_u:s0-s0:c0.c1023"
+
+        # set a new default
+        result = self.master.run_command(
+            ["ipa", "config-mod",
+             "--ipaselinuxusermaporder={}".format(maporder)],
+            raiseonerr=False
+        )
+        assert result.returncode == 0
+
+        # apply the update
+        result = self.master.run_command(
+            ["ipa-server-upgrade"],
+            raiseonerr=False
+        )
+        assert result.returncode == 0
+
+        # ensure result is the same
+        result = self.master.run_command(
+            ["ipa", "config-show"],
+            raiseonerr=False
+        )
+        assert result.returncode == 0
+        assert "SELinux user map order: {}".format(
+            maporder) in result.stdout_text