freeipa/ipaplatform/base/constants.py
Alexander Bokovoy d355761f23 ipa-client-install: enable SELinux for SSSD
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.

Fixes: https://pagure.io/freeipa/issue/9434

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2023-09-11 09:24:31 +02:00

184 lines
5.0 KiB
Python

#
# Copyright (C) 2015 FreeIPA Contributors see COPYING for license
#
'''
This base platform module exports platform dependant constants.
'''
import grp
import os
import pwd
import sys
class _Entity(str):
__slots__ = ("_entity", )
def __new__(cls, name):
# if 'name' is already an instance of cls, return identical name
if isinstance(name, cls):
return name
else:
return super().__new__(cls, name)
def __init__(self, name):
super().__init__()
self._entity = None
def __str__(self):
return super().__str__()
def __repr__(self):
return f'<{self.__class__.__name__} "{self!s}">'
class User(_Entity):
__slots__ = ()
@property
def entity(self):
"""User information struct
:return: pwd.struct_passwd instance
"""
entity = self._entity
if entity is None:
try:
self._entity = entity = pwd.getpwnam(self)
except KeyError:
raise ValueError(f"user '{self!s}' not found") from None
return entity
@property
def uid(self):
"""Numeric user id (int)
"""
return self.entity.pw_uid
@property
def pgid(self):
"""Primary group id (int)"""
return self.entity.pw_gid
def chown(self, path, gid=None, **kwargs):
"""chown() file by path or file descriptor
gid defaults to user's primary gid. Use -1 to keep gid.
"""
if gid is None:
gid = self.pgid
elif isinstance(gid, Group):
gid = gid.gid
os.chown(path, self.uid, gid, **kwargs)
class Group(_Entity):
__slots__ = ()
@property
def entity(self):
"""Group information
:return: grp.struct_group instance
"""
entity = self._entity
if entity is None:
try:
self._entity = entity = grp.getgrnam(self)
except KeyError:
raise ValueError(f"group '{self!s}' not found") from None
return entity
@property
def gid(self):
"""Numeric group id (int)
"""
return self.entity.gr_gid
def chgrp(self, path, **kwargs):
"""change group owner file by path or file descriptor
"""
os.chown(path, -1, self.gid, **kwargs)
class BaseConstantsNamespace:
IS_64BITS = sys.maxsize > 2 ** 32
DEFAULT_ADMIN_SHELL = '/bin/bash'
DEFAULT_SHELL = '/bin/sh'
IPAAPI_USER = User("ipaapi")
IPAAPI_GROUP = Group("ipaapi")
DS_USER = User("dirsrv")
DS_GROUP = Group("dirsrv")
HTTPD_USER = User("apache")
HTTPD_GROUP = Group("apache")
GSSPROXY_USER = User("root")
IPA_ADTRUST_PACKAGE_NAME = "freeipa-server-trust-ad"
IPA_DNS_PACKAGE_NAME = "freeipa-server-dns"
KDCPROXY_USER = User("kdcproxy")
NAMED_USER = User("named")
NAMED_GROUP = Group("named")
NAMED_DATA_DIR = "data/"
NAMED_OPTIONS_VAR = "OPTIONS"
NAMED_OPENSSL_ENGINE = None
NAMED_ZONE_COMMENT = ""
PKI_USER = User("pkiuser")
PKI_GROUP = Group("pkiuser")
# ntpd init variable used for daemon options
NTPD_OPTS_VAR = "OPTIONS"
# quote used for daemon options
NTPD_OPTS_QUOTE = "\""
ODS_USER = User("ods")
ODS_GROUP = Group("ods")
# nfsd init variable used to enable kerberized NFS
SECURE_NFS_VAR = "SECURE_NFS"
SELINUX_BOOLEAN_ADTRUST = {
'samba_portmapper': 'on',
}
SELINUX_BOOLEAN_HTTPD = {
'httpd_can_network_connect': 'on',
'httpd_manage_ipa': 'on',
'httpd_run_ipa': 'on',
'httpd_dbus_sssd': 'on',
}
# Unlike above, there are multiple use cases for SMB sharing
# SELINUX_BOOLEAN_SMBSERVICE is a dictionary of dictionaries
# to define set of booleans for each use case
SELINUX_BOOLEAN_SMBSERVICE = {
'share_home_dirs': {
'samba_enable_home_dirs': 'on',
},
'reshare_nfs_with_samba': {
'samba_share_nfs': 'on',
},
}
SELINUX_BOOLEAN_SSSD = {
'sssd_use_usb': 'on',
}
SELINUX_MCS_MAX = 1023
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
SELINUX_MLS_MAX = 15
SELINUX_MLS_REGEX = r"^s(\d+)(-s(\d+))?$"
SELINUX_USER_REGEX = r"^[a-zA-Z][a-zA-Z_\.]*$"
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
SELINUX_USERMAP_ORDER = (
"guest_u:s0"
"$xguest_u:s0"
"$user_u:s0"
"$staff_u:s0-s0:c0.c1023"
"$sysadm_u:s0-s0:c0.c1023"
"$unconfined_u:s0-s0:c0.c1023"
)
SSSD_USER = User("sssd")
# WSGI module override, only used on Fedora
MOD_WSGI_PYTHON2 = None
MOD_WSGI_PYTHON3 = None
# WSGIDaemonProcess process count. On 64bit platforms, each process
# consumes about 110 MB RSS, from which are about 35 MB shared.
WSGI_PROCESSES = 4 if IS_64BITS else 2
# high ciphers without RC4, MD5, TripleDES, pre-shared key, secure
# remote password, and DSA cert authentication.
TLS_HIGH_CIPHERS = "HIGH:!aNULL:!eNULL:!MD5:!RC4:!3DES:!PSK:!SRP:!aDSS"
constants = BaseConstantsNamespace()