|
|
6d47df |
From 1853e2ecd6b5cbe389507a8c3fc751deaf512bb6 Mon Sep 17 00:00:00 2001
|
|
|
6d47df |
From: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Date: Nov 12 2018 07:52:27 +0000
|
|
|
6d47df |
Subject: Add sysadm_r to default SELinux user map order
|
|
|
6d47df |
|
|
|
6d47df |
|
|
|
6d47df |
It is a standard SELinux user role included in RHEL (like
|
|
|
6d47df |
user_r, staff_r, guest_r) and used quite often.
|
|
|
6d47df |
|
|
|
6d47df |
Fixes: https://pagure.io/freeipa/issue/7658
|
|
|
6d47df |
Signed-off-by: François Cami <fcami@redhat.com>
|
|
|
6d47df |
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
|
6d47df |
|
|
|
6d47df |
---
|
|
|
6d47df |
|
|
|
6d47df |
diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
|
|
|
6d47df |
index ea1e5b2..8cc79d1 100644
|
|
|
6d47df |
--- a/install/share/bootstrap-template.ldif
|
|
|
6d47df |
+++ b/install/share/bootstrap-template.ldif
|
|
|
6d47df |
@@ -411,7 +411,7 @@ ipaDefaultEmailDomain: $DOMAIN
|
|
|
6d47df |
ipaMigrationEnabled: FALSE
|
|
|
6d47df |
ipaConfigString: AllowNThash
|
|
|
6d47df |
ipaConfigString: KDC:Disable Last Success
|
|
|
6d47df |
-ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
|
|
6d47df |
+ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$sysadm_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
|
|
|
6d47df |
ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
|
|
|
6d47df |
|
|
|
6d47df |
dn: cn=cosTemplates,cn=accounts,$SUFFIX
|
|
|
6d47df |
diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
|
|
|
6d47df |
index 71c9d73..4298f7d 100644
|
|
|
6d47df |
--- a/install/ui/test/data/ipa_init.json
|
|
|
6d47df |
+++ b/install/ui/test/data/ipa_init.json
|
|
|
6d47df |
@@ -36,7 +36,7 @@
|
|
|
6d47df |
"ipausers"
|
|
|
6d47df |
],
|
|
|
6d47df |
"ipaselinuxusermaporder" : [
|
|
|
6d47df |
- "guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"
|
|
|
6d47df |
+ "guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023"
|
|
|
6d47df |
],
|
|
|
6d47df |
"ca_renewal_master_server" : [
|
|
|
6d47df |
"vm.example.com"
|
|
|
6d47df |
diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
|
|
|
6d47df |
index 049e44d..cb8cdeb 100644
|
|
|
6d47df |
--- a/ipatests/test_xmlrpc/test_config_plugin.py
|
|
|
6d47df |
+++ b/ipatests/test_xmlrpc/test_config_plugin.py
|
|
|
6d47df |
@@ -148,8 +148,12 @@ class test_config(Declarative):
|
|
|
6d47df |
|
|
|
6d47df |
dict(
|
|
|
6d47df |
desc='Try to set new selinux order and invalid default user',
|
|
|
6d47df |
- command=('config_mod', [],
|
|
|
6d47df |
- dict(ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
|
|
|
6d47df |
+ command=(
|
|
|
6d47df |
+ 'config_mod', [],
|
|
|
6d47df |
+ dict(
|
|
|
6d47df |
+ ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0'
|
|
|
6d47df |
+ u'$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023'
|
|
|
6d47df |
+ u'$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023',
|
|
|
6d47df |
ipaselinuxusermapdefault=u'unknown_u:s0')),
|
|
|
6d47df |
expected=errors.ValidationError(name='ipaselinuxusermapdefault',
|
|
|
6d47df |
error='SELinux user map default user not in order list'),
|
|
|
6d47df |
|