|
 |
e8574e |
From 96af5394c210e637a5ab81d6925be3b0a429fc08 Mon Sep 17 00:00:00 2001
|
|
|
e8574e |
From: Stanislav Levin <slev@altlinux.org>
|
|
|
e8574e |
Date: Fri, 5 Jul 2019 14:39:17 +0300
|
|
|
e8574e |
Subject: [PATCH] Fix `test_webui.test_selinuxusermap`
|
|
|
e8574e |
|
|
|
e8574e |
A previous refactoring of SELinux tests has have a wrong
|
|
|
e8574e |
assumption about the user field separator within
|
|
|
e8574e |
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
|
|
|
e8574e |
|
|
|
e8574e |
Actually, '.ldif' and '.update' files are passed through
|
|
|
e8574e |
Python template string substitution:
|
|
|
e8574e |
|
|
|
e8574e |
> $$ is an escape; it is replaced with a single $.
|
|
|
e8574e |
> $identifier names a substitution placeholder matching
|
|
|
e8574e |
> a mapping key of "identifier"
|
|
|
e8574e |
|
|
|
e8574e |
This means that the text to be substituted on should not be escaped.
|
|
|
e8574e |
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
|
|
|
e8574e |
upgrade.
|
|
|
e8574e |
|
|
|
e8574e |
Fixes: https://pagure.io/freeipa/issue/7996
|
|
|
e8574e |
Fixes: https://pagure.io/freeipa/issue/8005
|
|
|
e8574e |
Signed-off-by: Stanislav Levin <slev@altlinux.org>
|
|
|
e8574e |
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
e8574e |
---
|
|
|
e8574e |
install/updates/50-ipaconfig.update | 1 +
|
|
|
e8574e |
ipaplatform/base/constants.py | 10 +++++-----
|
|
|
e8574e |
ipaserver/install/ldapupdate.py | 3 +++
|
|
|
e8574e |
ipatests/test_integration/test_winsyncmigrate.py | 2 +-
|
|
|
e8574e |
ipatests/test_webui/data_selinuxusermap.py | 4 ++--
|
|
|
e8574e |
ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 4 ++--
|
|
|
e8574e |
6 files changed, 14 insertions(+), 10 deletions(-)
|
|
|
e8574e |
|
|
|
e8574e |
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
|
|
|
e8574e |
index 2e1c5c357..35e154b4e 100644
|
|
|
e8574e |
--- a/install/updates/50-ipaconfig.update
|
|
|
e8574e |
+++ b/install/updates/50-ipaconfig.update
|
|
|
e8574e |
@@ -1,4 +1,5 @@
|
|
|
e8574e |
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
|
|
e8574e |
+replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
|
|
|
e8574e |
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
|
|
e8574e |
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
|
|
e8574e |
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
|
|
|
e8574e |
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
|
|
|
e8574e |
index cdb72e74a..eac60cac3 100644
|
|
|
e8574e |
--- a/ipaplatform/base/constants.py
|
|
|
e8574e |
+++ b/ipaplatform/base/constants.py
|
|
|
e8574e |
@@ -62,11 +62,11 @@ class BaseConstantsNamespace:
|
|
|
e8574e |
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
|
|
|
e8574e |
SELINUX_USERMAP_ORDER = (
|
|
|
e8574e |
"guest_u:s0"
|
|
|
e8574e |
- "$$xguest_u:s0"
|
|
|
e8574e |
- "$$user_u:s0"
|
|
|
e8574e |
- "$$staff_u:s0-s0:c0.c1023"
|
|
|
e8574e |
- "$$sysadm_u:s0-s0:c0.c1023"
|
|
|
e8574e |
- "$$unconfined_u:s0-s0:c0.c1023"
|
|
|
e8574e |
+ "$xguest_u:s0"
|
|
|
e8574e |
+ "$user_u:s0"
|
|
|
e8574e |
+ "$staff_u:s0-s0:c0.c1023"
|
|
|
e8574e |
+ "$sysadm_u:s0-s0:c0.c1023"
|
|
|
e8574e |
+ "$unconfined_u:s0-s0:c0.c1023"
|
|
|
e8574e |
)
|
|
|
e8574e |
SSSD_USER = "sssd"
|
|
|
e8574e |
# WSGI module override, only used on Fedora
|
|
|
e8574e |
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
|
|
|
e8574e |
index d9e47dcc0..0cdea6a82 100644
|
|
|
e8574e |
--- a/ipaserver/install/ldapupdate.py
|
|
|
e8574e |
+++ b/ipaserver/install/ldapupdate.py
|
|
|
e8574e |
@@ -322,6 +322,9 @@ class LDAPUpdate:
|
|
|
e8574e |
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
|
|
|
e8574e |
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
|
|
|
e8574e |
platformconstants.SELINUX_USERMAP_DEFAULT
|
|
|
e8574e |
+ if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
|
|
|
e8574e |
+ self.sub_dict["SELINUX_USERMAP_ORDER"] = \
|
|
|
e8574e |
+ platformconstants.SELINUX_USERMAP_ORDER
|
|
|
e8574e |
self.api = create_api(mode=None)
|
|
|
e8574e |
self.api.bootstrap(in_server=True,
|
|
|
e8574e |
context='updates',
|
|
|
e8574e |
diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py
|
|
|
e8574e |
index 593fc2065..be9f44072 100644
|
|
|
e8574e |
--- a/ipatests/test_integration/test_winsyncmigrate.py
|
|
|
e8574e |
+++ b/ipatests/test_integration/test_winsyncmigrate.py
|
|
|
e8574e |
@@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
|
|
|
e8574e |
ipa_group = 'ipa_group'
|
|
|
e8574e |
ad_user = 'testuser'
|
|
|
e8574e |
default_shell = platformconstants.DEFAULT_SHELL
|
|
|
e8574e |
- selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
|
|
e8574e |
+ selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
|
|
e8574e |
test_role = 'test_role'
|
|
|
e8574e |
test_hbac_rule = 'test_hbac_rule'
|
|
|
e8574e |
test_selinux_map = 'test_selinux_map'
|
|
|
e8574e |
diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py
|
|
|
e8574e |
index ca7b1dcdd..312e7592f 100644
|
|
|
e8574e |
--- a/ipatests/test_webui/data_selinuxusermap.py
|
|
|
e8574e |
+++ b/ipatests/test_webui/data_selinuxusermap.py
|
|
|
e8574e |
@@ -5,8 +5,8 @@
|
|
|
e8574e |
from ipaplatform.constants import constants as platformconstants
|
|
|
e8574e |
|
|
|
e8574e |
# for example, user_u:s0
|
|
|
e8574e |
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
|
|
e8574e |
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
|
|
|
e8574e |
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
|
|
e8574e |
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
|
|
|
e8574e |
|
|
|
e8574e |
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
|
|
|
e8574e |
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
|
|
|
e8574e |
diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
|
|
|
e8574e |
index 0b73992aa..e5b23bd4d 100644
|
|
|
e8574e |
--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
|
|
|
e8574e |
+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
|
|
|
e8574e |
@@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
|
|
|
e8574e |
import pytest
|
|
|
e8574e |
|
|
|
e8574e |
rule1 = u'selinuxrule1'
|
|
|
e8574e |
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
|
|
|
e8574e |
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
|
|
|
e8574e |
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
|
|
|
e8574e |
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
|
|
|
e8574e |
|
|
|
e8574e |
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
|
|
|
e8574e |
platformconstants.SELINUX_MCS_REGEX,
|
|
|
e8574e |
--
|
|
|
e8574e |
2.21.0
|
|
|
e8574e |
|