mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-11 00:31:56 -06:00
d355761f23
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
184 lines
5.0 KiB
Python
184 lines
5.0 KiB
Python
#
|
|
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
'''
|
|
This base platform module exports platform dependant constants.
|
|
'''
|
|
import grp
|
|
import os
|
|
import pwd
|
|
import sys
|
|
|
|
|
|
class _Entity(str):
|
|
__slots__ = ("_entity", )
|
|
|
|
def __new__(cls, name):
|
|
# if 'name' is already an instance of cls, return identical name
|
|
if isinstance(name, cls):
|
|
return name
|
|
else:
|
|
return super().__new__(cls, name)
|
|
|
|
def __init__(self, name):
|
|
super().__init__()
|
|
self._entity = None
|
|
|
|
def __str__(self):
|
|
return super().__str__()
|
|
|
|
def __repr__(self):
|
|
return f'<{self.__class__.__name__} "{self!s}">'
|
|
|
|
|
|
class User(_Entity):
|
|
__slots__ = ()
|
|
|
|
@property
|
|
def entity(self):
|
|
"""User information struct
|
|
|
|
:return: pwd.struct_passwd instance
|
|
"""
|
|
entity = self._entity
|
|
if entity is None:
|
|
try:
|
|
self._entity = entity = pwd.getpwnam(self)
|
|
except KeyError:
|
|
raise ValueError(f"user '{self!s}' not found") from None
|
|
return entity
|
|
|
|
@property
|
|
def uid(self):
|
|
"""Numeric user id (int)
|
|
"""
|
|
return self.entity.pw_uid
|
|
|
|
@property
|
|
def pgid(self):
|
|
"""Primary group id (int)"""
|
|
return self.entity.pw_gid
|
|
|
|
def chown(self, path, gid=None, **kwargs):
|
|
"""chown() file by path or file descriptor
|
|
|
|
gid defaults to user's primary gid. Use -1 to keep gid.
|
|
"""
|
|
if gid is None:
|
|
gid = self.pgid
|
|
elif isinstance(gid, Group):
|
|
gid = gid.gid
|
|
os.chown(path, self.uid, gid, **kwargs)
|
|
|
|
|
|
class Group(_Entity):
|
|
__slots__ = ()
|
|
|
|
@property
|
|
def entity(self):
|
|
"""Group information
|
|
|
|
:return: grp.struct_group instance
|
|
"""
|
|
entity = self._entity
|
|
if entity is None:
|
|
try:
|
|
self._entity = entity = grp.getgrnam(self)
|
|
except KeyError:
|
|
raise ValueError(f"group '{self!s}' not found") from None
|
|
return entity
|
|
|
|
@property
|
|
def gid(self):
|
|
"""Numeric group id (int)
|
|
"""
|
|
return self.entity.gr_gid
|
|
|
|
def chgrp(self, path, **kwargs):
|
|
"""change group owner file by path or file descriptor
|
|
"""
|
|
os.chown(path, -1, self.gid, **kwargs)
|
|
|
|
|
|
class BaseConstantsNamespace:
|
|
IS_64BITS = sys.maxsize > 2 ** 32
|
|
DEFAULT_ADMIN_SHELL = '/bin/bash'
|
|
DEFAULT_SHELL = '/bin/sh'
|
|
IPAAPI_USER = User("ipaapi")
|
|
IPAAPI_GROUP = Group("ipaapi")
|
|
DS_USER = User("dirsrv")
|
|
DS_GROUP = Group("dirsrv")
|
|
HTTPD_USER = User("apache")
|
|
HTTPD_GROUP = Group("apache")
|
|
GSSPROXY_USER = User("root")
|
|
IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"
|
|
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
|
|
KDCPROXY_USER = User("kdcproxy")
|
|
NAMED_USER = User("named")
|
|
NAMED_GROUP = Group("named")
|
|
NAMED_DATA_DIR = "data/"
|
|
NAMED_OPTIONS_VAR = "OPTIONS"
|
|
NAMED_OPENSSL_ENGINE = None
|
|
NAMED_ZONE_COMMENT = ""
|
|
PKI_USER = User("pkiuser")
|
|
PKI_GROUP = Group("pkiuser")
|
|
# ntpd init variable used for daemon options
|
|
NTPD_OPTS_VAR = "OPTIONS"
|
|
# quote used for daemon options
|
|
NTPD_OPTS_QUOTE = "\""
|
|
ODS_USER = User("ods")
|
|
ODS_GROUP = Group("ods")
|
|
# nfsd init variable used to enable kerberized NFS
|
|
SECURE_NFS_VAR = "SECURE_NFS"
|
|
SELINUX_BOOLEAN_ADTRUST = {
|
|
'samba_portmapper': 'on',
|
|
}
|
|
SELINUX_BOOLEAN_HTTPD = {
|
|
'httpd_can_network_connect': 'on',
|
|
'httpd_manage_ipa': 'on',
|
|
'httpd_run_ipa': 'on',
|
|
'httpd_dbus_sssd': 'on',
|
|
}
|
|
# Unlike above, there are multiple use cases for SMB sharing
|
|
# SELINUX_BOOLEAN_SMBSERVICE is a dictionary of dictionaries
|
|
# to define set of booleans for each use case
|
|
SELINUX_BOOLEAN_SMBSERVICE = {
|
|
'share_home_dirs': {
|
|
'samba_enable_home_dirs': 'on',
|
|
},
|
|
'reshare_nfs_with_samba': {
|
|
'samba_share_nfs': 'on',
|
|
},
|
|
}
|
|
SELINUX_BOOLEAN_SSSD = {
|
|
'sssd_use_usb': 'on',
|
|
}
|
|
SELINUX_MCS_MAX = 1023
|
|
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
|
|
SELINUX_MLS_MAX = 15
|
|
SELINUX_MLS_REGEX = r"^s(\d+)(-s(\d+))?$"
|
|
SELINUX_USER_REGEX = r"^[a-zA-Z][a-zA-Z_\.]*$"
|
|
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
|
|
SELINUX_USERMAP_ORDER = (
|
|
"guest_u:s0"
|
|
"$xguest_u:s0"
|
|
"$user_u:s0"
|
|
"$staff_u:s0-s0:c0.c1023"
|
|
"$sysadm_u:s0-s0:c0.c1023"
|
|
"$unconfined_u:s0-s0:c0.c1023"
|
|
)
|
|
SSSD_USER = User("sssd")
|
|
# WSGI module override, only used on Fedora
|
|
MOD_WSGI_PYTHON2 = None
|
|
MOD_WSGI_PYTHON3 = None
|
|
# WSGIDaemonProcess process count. On 64bit platforms, each process
|
|
# consumes about 110 MB RSS, from which are about 35 MB shared.
|
|
WSGI_PROCESSES = 4 if IS_64BITS else 2
|
|
# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
|
|
# remote password, and DSA cert authentication.
|
|
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
|
|
|
|
|
|
constants = BaseConstantsNamespace()
|