Hi,

Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983

Tomas
>From 8cfde7e9fde521608557b6767ad91dee1901b45f Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Mon, 3 Sep 2012 10:49:53 -0400
Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule

Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983
---
 ipalib/plugins/selinuxusermap.py                |  39 ++++--
 tests/test_xmlrpc/test_selinuxusermap_plugin.py | 179 ++++++++++++++++++++++++
 2 files changed, 210 insertions(+), 8 deletions(-)

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index d793987aaa17c38fa5d6d83cb56038a7a5ebcd23..baa0139f60bee0bbe421950c977814639451e5fd 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -242,8 +242,18 @@ class selinuxusermap_add(LDAPCreate):
         # rules are enabled by default
         entry_attrs['ipaenabledflag'] = 'TRUE'
         validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
-        if 'seealso' in options:
-            entry_attrs['seealso'] = self.obj._normalize_seealso(options['seealso'])
+
+        # hbacrule is not allowed when usercat or hostcat is set
+        are_local_members_set = 'usercategory' in entry_attrs or \
+                                'hostcategory' in entry_attrs
+
+        is_hbacrule_set = 'seealso' in entry_attrs
+
+        if is_hbacrule_set and are_local_members_set:
+            raise errors.MutuallyExclusiveError(reason=notboth_err)
+
+        if is_hbacrule_set:
+            entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso'])
 
         return dn
 
@@ -276,15 +286,28 @@ class selinuxusermap_mod(LDAPUpdate):
         except errors.NotFound:
             self.obj.handle_not_found(*keys)
 
-        if 'seealso' in options and ('usercategory' in _entry_attrs or
-          'hostcategory' in _entry_attrs or
-          'memberuser' in _entry_attrs or
-          'memberhost' in _entry_attrs):
+        # makes sure the local members and hbacrule is not set at the same time
+        # memberuser or memberhost could have been set using --setattr
+        are_local_members_to_be_set  = 'usercategory' in _entry_attrs or \
+                                       'hostcategory' in _entry_attrs or \
+                                       'memberuser' in _entry_attrs or \
+                                       'memberhost' in _entry_attrs or \
+                                       'usercategory' in entry_attrs or \
+                                       'hostcategory' in entry_attrs or \
+                                       'memberuser' in entry_attrs or \
+                                       'memberhost' in entry_attrs
+
+        is_hbacrule_to_be_set = 'seealso' in _entry_attrs or \
+                                'seealso' in entry_attrs
+
+        # this can disable all modifications if hbacrule and local members were
+        # set at the same time bypassing this commad, e.g. using ldapmodify
+        if are_local_members_to_be_set and is_hbacrule_to_be_set:
             raise errors.MutuallyExclusiveError(reason=notboth_err)
 
-        if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
+        if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs:
             raise errors.MutuallyExclusiveError(reason="user category cannot be set to 'all' while there are allowed users")
-        if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
+        if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs:
             raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts")
 
         if 'ipaselinuxuser' in entry_attrs:
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index b448294137d664ca7beca6552db612808fef1f61..1aa3c793ace9cb13b3962888b6548d8ed875e2de 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -663,4 +663,183 @@ class test_selinuxusermap(Declarative):
                 error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
         ),
 
+        dict(
+            desc='Create rule with both --hbacrule and --usercat set',
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,usercategory=u'all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Create rule with both --hbacrule and --hostcat set',
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,hostcategory=u'all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Create rule with both --hbacrule and --usercat set via setattr',
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'usercategory=all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Create rule with both --hbacrule and --hostcat set via setattr',
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'hostcategory=all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Create rule %r with --hbacrule' % rule1,
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1)
+            ),
+            expected=dict(
+                value=rule1,
+                summary=u'Added SELinux User Map "%s"' % rule1,
+                result=dict(
+                    cn=[rule1],
+                    ipaselinuxuser=[selinuxuser1],
+                    objectclass=objectclasses.selinuxusermap,
+                    ipauniqueid=[fuzzy_uuid],
+                    ipaenabledflag = [u'TRUE'],
+                    dn=fuzzy_selinuxusermapdn,
+                    seealso=hbacrule1
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Add an --usercat to %r that has HBAC set' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(usercategory=u'all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Add an --hostcat to %r that has HBAC set' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(hostcategory=u'all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Add an usercat via setattr to %r that has HBAC set' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(setattr=u'usercategory=all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Add an hostcat via setattr to %r that has HBAC set' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(setattr=u'hostcategory=all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Delete %r' % rule1,
+            command=('selinuxusermap_del', [rule1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=rule1,
+                summary=u'Deleted SELinux User Map "%s"' % rule1,
+            )
+        ),
+
+        dict(
+            desc='Create rule %r with usercat and hostcat set' % rule1,
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,usercategory=u'all',hostcategory=u'all')
+            ),
+            expected=dict(
+                value=rule1,
+                summary=u'Added SELinux User Map "%s"' % rule1,
+                result=dict(
+                    cn=[rule1],
+                    ipaselinuxuser=[selinuxuser1],
+                    objectclass=objectclasses.selinuxusermap,
+                    ipauniqueid=[fuzzy_uuid],
+                    ipaenabledflag = [u'TRUE'],
+                    dn=fuzzy_selinuxusermapdn,
+                    usercategory = [u'all'],
+                    hostcategory = [u'all']
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Add HBAC rule to %r that has usercat and hostcat' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1)
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Delete %r' % rule1,
+            command=('selinuxusermap_del', [rule1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=rule1,
+                summary=u'Deleted SELinux User Map "%s"' % rule1,
+            )
+        ),
+
+        dict(
+            desc='Create rule %r' % rule1,
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1)
+            ),
+            expected=dict(
+                value=rule1,
+                summary=u'Added SELinux User Map "%s"' % rule1,
+                result=dict(
+                    cn=[rule1],
+                    ipaselinuxuser=[selinuxuser1],
+                    objectclass=objectclasses.selinuxusermap,
+                    ipauniqueid=[fuzzy_uuid],
+                    ipaenabledflag = [u'TRUE'],
+                    dn=fuzzy_selinuxusermapdn,
+                ),
+            ),
+        ),
+
+        dict(
+            desc='Add HBAC rule, hostcat and usercat to %r' % rule1,
+            command=(
+                'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1,usercategory=u'all',hostcategory=u'all')
+            ),
+            expected=errors.MutuallyExclusiveError(
+                reason=u'HBAC rule and local members cannot both be set'),
+        ),
+
+        dict(
+            desc='Delete %r' % rule1,
+            command=('selinuxusermap_del', [rule1], {}),
+            expected=dict(
+                result=dict(failed=u''),
+                value=rule1,
+                summary=u'Deleted SELinux User Map "%s"' % rule1,
+            )
+        ),
     ]
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to