Fix setting the user in a rule using setattr. We weren't verifying that it was in the ordered list.

I also noticed that no mls was allowed when it shouldn't be. Made that required.


rob
>From 4fa293408f3605ef52bf2aec42305562414f7bae Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 15 Aug 2012 17:21:19 -0400
Subject: [PATCH] Validate default user in ordered list when using setattr,
 require MLS

The MLS was optional in the format, it should be required.

https://fedorahosted.org/freeipa/ticket/2984
---
 ipalib/plugins/selinuxusermap.py                |   21 ++++++++++++---------
 tests/test_xmlrpc/test_selinuxusermap_plugin.py |   14 ++++++++++++--
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 2d689cd748c7e4128919279cd553ec31bca0e162..e4cebc1e41bc315e285899e4279bcac26143ab2e 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -72,10 +72,13 @@ notboth_err = _('HBAC rule and local members cannot both be set')
 
 def validate_selinuxuser(ugettext, user):
     """
-    An SELinux user has 3 components: user:MLS:MCS
-    user traditionally ends with _u but this is not mandatory. Regex is ^[a-zA-Z][a-zA-Z_]*
-    The MLS part can only be
-    Level: s[0-15](-s[0-15])
+    An SELinux user has 3 components: user:MLS:MCS. user and MLS are required.
+    user traditionally ends with _u but this is not mandatory.
+      The regex is ^[a-zA-Z][a-zA-Z_]*
+
+    The MLS part can only be:
+      Level: s[0-15](-s[0-15])
+
     Then MCS could be c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]
     Meaning
     s0 s0-s1 s0-s15:c0.c1023 s0-s1:c0,c2,c15.c26 s0-s0:c0.c1023
@@ -92,7 +95,7 @@ def validate_selinuxuser(ugettext, user):
 
     if not regex_name.match(name):
         return _('Invalid SELinux user name, only a-Z and _ are allowed')
-    if mls and not regex_mls.match(mls):
+    if not mls or not regex_mls.match(mls):
         return _('Invalid MLS value, must match s[0-15](-s[0-15])')
     if mcs and not regex_mcs.match(mcs):
         return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]')
@@ -283,11 +286,11 @@ class selinuxusermap_mod(LDAPUpdate):
         if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
             raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts")
 
-        if 'ipaselinuxuser' in options:
-            validate_selinuxuser_inlist(ldap, options['ipaselinuxuser'])
+        if 'ipaselinuxuser' in entry_attrs:
+            validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
 
-        if 'seealso' in options:
-            entry_attrs['seealso'] = self.obj._normalize_seealso(options['seealso'])
+        if 'seealso' in entry_attrs:
+            entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso'])
         return dn
 
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index fef9aa1cc9c841c33c07bbd01452ce1d01f1bce2..83260e8ab982da59343d84eba63c21e135ce61d4 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -606,9 +606,9 @@ class test_selinuxusermap(Declarative):
         dict(
             desc='Create rule with unknown user %r' % rule1,
             command=(
-                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound')
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound:s0:c0')
             ),
-            expected=errors.NotFound(reason=u'SELinux user notfound not ' +
+            expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 not ' +
                 u'found in ordering list (in config)'),
         ),
 
@@ -643,4 +643,14 @@ class test_selinuxusermap(Declarative):
                     u'and/or c[0-1023]-c[0-c0123]'),
         ),
 
+
+        dict(
+            desc='Create rule with invalid user via setattr',
+            command=(
+                'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny')
+            ),
+            expected=errors.ValidationError(name='ipaselinuxuser',
+                error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
+        ),
+
     ]
-- 
1.7.10.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to