Hi, Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983 Tomas
>From 8cfde7e9fde521608557b6767ad91dee1901b45f Mon Sep 17 00:00:00 2001 From: Tomas Babej <tba...@redhat.com> Date: Mon, 3 Sep 2012 10:49:53 -0400 Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983 --- ipalib/plugins/selinuxusermap.py | 39 ++++-- tests/test_xmlrpc/test_selinuxusermap_plugin.py | 179 ++++++++++++++++++++++++ 2 files changed, 210 insertions(+), 8 deletions(-) diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index d793987aaa17c38fa5d6d83cb56038a7a5ebcd23..baa0139f60bee0bbe421950c977814639451e5fd 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -242,8 +242,18 @@ class selinuxusermap_add(LDAPCreate): # rules are enabled by default entry_attrs['ipaenabledflag'] = 'TRUE' validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser']) - if 'seealso' in options: - entry_attrs['seealso'] = self.obj._normalize_seealso(options['seealso']) + + # hbacrule is not allowed when usercat or hostcat is set + are_local_members_set = 'usercategory' in entry_attrs or \ + 'hostcategory' in entry_attrs + + is_hbacrule_set = 'seealso' in entry_attrs + + if is_hbacrule_set and are_local_members_set: + raise errors.MutuallyExclusiveError(reason=notboth_err) + + if is_hbacrule_set: + entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso']) return dn @@ -276,15 +286,28 @@ class selinuxusermap_mod(LDAPUpdate): except errors.NotFound: self.obj.handle_not_found(*keys) - if 'seealso' in options and ('usercategory' in _entry_attrs or - 'hostcategory' in _entry_attrs or - 'memberuser' in _entry_attrs or - 'memberhost' in _entry_attrs): + # makes sure the local members and hbacrule is not set at the same time + # memberuser or memberhost could have been set using --setattr + are_local_members_to_be_set = 'usercategory' in _entry_attrs or \ + 'hostcategory' in _entry_attrs or \ + 'memberuser' in _entry_attrs or \ + 'memberhost' in _entry_attrs or \ + 'usercategory' in entry_attrs or \ + 'hostcategory' in entry_attrs or \ + 'memberuser' in entry_attrs or \ + 'memberhost' in entry_attrs + + is_hbacrule_to_be_set = 'seealso' in _entry_attrs or \ + 'seealso' in entry_attrs + + # this can disable all modifications if hbacrule and local members were + # set at the same time bypassing this commad, e.g. using ldapmodify + if are_local_members_to_be_set and is_hbacrule_to_be_set: raise errors.MutuallyExclusiveError(reason=notboth_err) - if is_all(options, 'usercategory') and 'memberuser' in entry_attrs: + if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs: raise errors.MutuallyExclusiveError(reason="user category cannot be set to 'all' while there are allowed users") - if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: + if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts") if 'ipaselinuxuser' in entry_attrs: diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py index b448294137d664ca7beca6552db612808fef1f61..1aa3c793ace9cb13b3962888b6548d8ed875e2de 100644 --- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py +++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py @@ -663,4 +663,183 @@ class test_selinuxusermap(Declarative): error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), ), + dict( + desc='Create rule with both --hbacrule and --usercat set', + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,usercategory=u'all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Create rule with both --hbacrule and --hostcat set', + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,hostcategory=u'all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Create rule with both --hbacrule and --usercat set via setattr', + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'usercategory=all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Create rule with both --hbacrule and --hostcat set via setattr', + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'hostcategory=all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Create rule %r with --hbacrule' % rule1, + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1) + ), + expected=dict( + value=rule1, + summary=u'Added SELinux User Map "%s"' % rule1, + result=dict( + cn=[rule1], + ipaselinuxuser=[selinuxuser1], + objectclass=objectclasses.selinuxusermap, + ipauniqueid=[fuzzy_uuid], + ipaenabledflag = [u'TRUE'], + dn=fuzzy_selinuxusermapdn, + seealso=hbacrule1 + ), + ), + ), + + dict( + desc='Add an --usercat to %r that has HBAC set' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(usercategory=u'all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Add an --hostcat to %r that has HBAC set' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(hostcategory=u'all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Add an usercat via setattr to %r that has HBAC set' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(setattr=u'usercategory=all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Add an hostcat via setattr to %r that has HBAC set' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(setattr=u'hostcategory=all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Delete %r' % rule1, + command=('selinuxusermap_del', [rule1], {}), + expected=dict( + result=dict(failed=u''), + value=rule1, + summary=u'Deleted SELinux User Map "%s"' % rule1, + ) + ), + + dict( + desc='Create rule %r with usercat and hostcat set' % rule1, + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,usercategory=u'all',hostcategory=u'all') + ), + expected=dict( + value=rule1, + summary=u'Added SELinux User Map "%s"' % rule1, + result=dict( + cn=[rule1], + ipaselinuxuser=[selinuxuser1], + objectclass=objectclasses.selinuxusermap, + ipauniqueid=[fuzzy_uuid], + ipaenabledflag = [u'TRUE'], + dn=fuzzy_selinuxusermapdn, + usercategory = [u'all'], + hostcategory = [u'all'] + ), + ), + ), + + dict( + desc='Add HBAC rule to %r that has usercat and hostcat' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1) + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Delete %r' % rule1, + command=('selinuxusermap_del', [rule1], {}), + expected=dict( + result=dict(failed=u''), + value=rule1, + summary=u'Deleted SELinux User Map "%s"' % rule1, + ) + ), + + dict( + desc='Create rule %r' % rule1, + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1) + ), + expected=dict( + value=rule1, + summary=u'Added SELinux User Map "%s"' % rule1, + result=dict( + cn=[rule1], + ipaselinuxuser=[selinuxuser1], + objectclass=objectclasses.selinuxusermap, + ipauniqueid=[fuzzy_uuid], + ipaenabledflag = [u'TRUE'], + dn=fuzzy_selinuxusermapdn, + ), + ), + ), + + dict( + desc='Add HBAC rule, hostcat and usercat to %r' % rule1, + command=( + 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1,usercategory=u'all',hostcategory=u'all') + ), + expected=errors.MutuallyExclusiveError( + reason=u'HBAC rule and local members cannot both be set'), + ), + + dict( + desc='Delete %r' % rule1, + command=('selinuxusermap_del', [rule1], {}), + expected=dict( + result=dict(failed=u''), + value=rule1, + summary=u'Deleted SELinux User Map "%s"' % rule1, + ) + ), ] -- 1.7.11.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel