From 463e5e73a27bb31e3549c9204efe20555b7cb8dd Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Fri, 1 Jun 2018 15:19:35 -0400

Subject: [PATCH] Use replace instead of add to set new default

 ipaSELinuxUserMapOrder

The add was in effect replacing whatever data was already there

causing any custom order to be lost on each run of

ipa-server-upgrade.

https://pagure.io/freeipa/issue/6610

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

 install/updates/50-ipaconfig.update        |  2 +-

 ipatests/test_integration/test_commands.py | 48 ++++++++++++++++++++++++++++++

 2 files changed, 49 insertions(+), 1 deletion(-)

 create mode 100644 ipatests/test_integration/test_commands.py

diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update

index 23d2919dbd976c34d9217fc31cca88a0df6c7f5b..18501cb7b8a87377a76bc53b7fe3c469c23e2d41 100644

--- a/install/updates/50-ipaconfig.update

+++ b/install/updates/50-ipaconfig.update

@@ -1,5 +1,5 @@

 dn: cn=ipaConfig,cn=etc,$SUFFIX

-add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023

+replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023

 add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023

 add:ipaUserObjectClasses: ipasshuser

 remove:ipaConfigString:AllowLMhash

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py

new file mode 100644

index 0000000000000000000000000000000000000000..b2c0d5c710c9810cfd74216983f793808f4cf3c4

--- /dev/null

+++ b/ipatests/test_integration/test_commands.py

@@ -0,0 +1,48 @@

+#

+# Copyright (C) 2018  FreeIPA Contributors see COPYING for license

+#

+"""Misc test for 'ipa' CLI regressions

+"""

+from __future__ import absolute_import

+

+from ipatests.test_integration.base import IntegrationTest

+

+

+class TestIPACommand(IntegrationTest):

+    """

+    A lot of commands can be executed against a single IPA installation

+    so provide a generic class to execute one-off commands that need to be

+    tested without having to fire up a full server to run one command.

+    """

+    topology = 'line'

+

+    def test_change_selinuxusermaporder(self):

+        """

+        An update file meant to ensure a more sane default was

+        overriding any customization done to the order.

+        """

+        maporder = "unconfined_u:s0-s0:c0.c1023"

+

+        # set a new default

+        result = self.master.run_command(

+            ["ipa", "config-mod",

+             "--ipaselinuxusermaporder={}".format(maporder)],

+            raiseonerr=False

+        )

+        assert result.returncode == 0

+

+        # apply the update

+        result = self.master.run_command(

+            ["ipa-server-upgrade"],

+            raiseonerr=False

+        )

+        assert result.returncode == 0

+

+        # ensure result is the same

+        result = self.master.run_command(

+            ["ipa", "config-show"],

+            raiseonerr=False

+        )

+        assert result.returncode == 0

+        assert "SELinux user map order: {}".format(

+            maporder) in result.stdout_text

-- 

2.14.4