544061
From 96af5394c210e637a5ab81d6925be3b0a429fc08 Mon Sep 17 00:00:00 2001
544061
From: Stanislav Levin <slev@altlinux.org>
544061
Date: Fri, 5 Jul 2019 14:39:17 +0300
544061
Subject: [PATCH] Fix `test_webui.test_selinuxusermap`
544061
544061
A previous refactoring of SELinux tests has have a wrong
544061
assumption about the user field separator within
544061
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
544061
544061
Actually, '.ldif' and '.update' files are passed through
544061
Python template string substitution:
544061
544061
> $$ is an escape; it is replaced with a single $.
544061
> $identifier names a substitution placeholder matching
544061
> a mapping key of "identifier"
544061
544061
This means that the text to be substituted on should not be escaped.
544061
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
544061
upgrade.
544061
544061
Fixes: https://pagure.io/freeipa/issue/7996
544061
Fixes: https://pagure.io/freeipa/issue/8005
544061
Signed-off-by: Stanislav Levin <slev@altlinux.org>
544061
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
544061
---
544061
 install/updates/50-ipaconfig.update                |  1 +
544061
 ipaplatform/base/constants.py                      | 10 +++++-----
544061
 ipaserver/install/ldapupdate.py                    |  3 +++
544061
 ipatests/test_integration/test_winsyncmigrate.py   |  2 +-
544061
 ipatests/test_webui/data_selinuxusermap.py         |  4 ++--
544061
 ipatests/test_xmlrpc/test_selinuxusermap_plugin.py |  4 ++--
544061
 6 files changed, 14 insertions(+), 10 deletions(-)
544061
544061
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
544061
index 2e1c5c357..35e154b4e 100644
544061
--- a/install/updates/50-ipaconfig.update
544061
+++ b/install/updates/50-ipaconfig.update
544061
@@ -1,4 +1,5 @@
544061
 dn: cn=ipaConfig,cn=etc,$SUFFIX
544061
+replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
544061
 replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
544061
 replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
544061
 add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
544061
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
544061
index cdb72e74a..eac60cac3 100644
544061
--- a/ipaplatform/base/constants.py
544061
+++ b/ipaplatform/base/constants.py
544061
@@ -62,11 +62,11 @@ class BaseConstantsNamespace:
544061
     SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
544061
     SELINUX_USERMAP_ORDER = (
544061
         "guest_u:s0"
544061
-        "$$xguest_u:s0"
544061
-        "$$user_u:s0"
544061
-        "$$staff_u:s0-s0:c0.c1023"
544061
-        "$$sysadm_u:s0-s0:c0.c1023"
544061
-        "$$unconfined_u:s0-s0:c0.c1023"
544061
+        "$xguest_u:s0"
544061
+        "$user_u:s0"
544061
+        "$staff_u:s0-s0:c0.c1023"
544061
+        "$sysadm_u:s0-s0:c0.c1023"
544061
+        "$unconfined_u:s0-s0:c0.c1023"
544061
     )
544061
     SSSD_USER = "sssd"
544061
     # WSGI module override, only used on Fedora
544061
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
544061
index d9e47dcc0..0cdea6a82 100644
544061
--- a/ipaserver/install/ldapupdate.py
544061
+++ b/ipaserver/install/ldapupdate.py
544061
@@ -322,6 +322,9 @@ class LDAPUpdate:
544061
         if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
544061
             self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
544061
                 platformconstants.SELINUX_USERMAP_DEFAULT
544061
+        if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
544061
+            self.sub_dict["SELINUX_USERMAP_ORDER"] = \
544061
+                platformconstants.SELINUX_USERMAP_ORDER
544061
         self.api = create_api(mode=None)
544061
         self.api.bootstrap(in_server=True,
544061
                            context='updates',
544061
diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py
544061
index 593fc2065..be9f44072 100644
544061
--- a/ipatests/test_integration/test_winsyncmigrate.py
544061
+++ b/ipatests/test_integration/test_winsyncmigrate.py
544061
@@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
544061
     ipa_group = 'ipa_group'
544061
     ad_user = 'testuser'
544061
     default_shell = platformconstants.DEFAULT_SHELL
544061
-    selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
544061
+    selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
544061
     test_role = 'test_role'
544061
     test_hbac_rule = 'test_hbac_rule'
544061
     test_selinux_map = 'test_selinux_map'
544061
diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py
544061
index ca7b1dcdd..312e7592f 100644
544061
--- a/ipatests/test_webui/data_selinuxusermap.py
544061
+++ b/ipatests/test_webui/data_selinuxusermap.py
544061
@@ -5,8 +5,8 @@
544061
 from ipaplatform.constants import constants as platformconstants
544061
 
544061
 # for example, user_u:s0
544061
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
544061
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
544061
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
544061
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
544061
 
544061
 selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
544061
 selinux_mls_max = platformconstants.SELINUX_MLS_MAX
544061
diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
544061
index 0b73992aa..e5b23bd4d 100644
544061
--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
544061
+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
544061
@@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
544061
 import pytest
544061
 
544061
 rule1 = u'selinuxrule1'
544061
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
544061
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
544061
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
544061
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
544061
 
544061
 INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
544061
     platformconstants.SELINUX_MCS_REGEX,
544061
-- 
544061
2.21.0
544061