On 09/05/2012 01:56 PM, Martin Kosek wrote:
On 09/03/2012 05:12 PM, Tomas Babej wrote:
Hi,
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983
Tomas
I found few issues with this patch:
1) Patch needs a rebase
2) Patch does not expect attributes to be set to None, i.e. to be left empty or
to be deleted, e.g.:
# ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all --hbacrule=
ipa: ERROR: HBAC rule and local members cannot both be set
# ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all
----------------------------
Added SELinux User Map "foo"
----------------------------
Rule name: foo
SELinux User: guest_u:s0
User category: all
Enabled: TRUE
# ipa selinuxusermap-mod foo --usercat= --hbacrule=
ipa: ERROR: HBAC rule and local members cannot both be set
# ipa selinuxusermap-mod foo --usercat=
-------------------------------
Modified SELinux User Map "foo"
-------------------------------
Rule name: foo
SELinux User: guest_u:s0
Enabled: TRUE
# ipa selinuxusermap-mod foo --hbacrule=foo
-------------------------------
Modified SELinux User Map "foo"
-------------------------------
Rule name: foo
SELinux User: guest_u:s0
HBAC Rule: foo
Enabled: TRUE
# ipa selinuxusermap-mod foo --hbacrule= --usercat=all
ipa: ERROR: HBAC rule and local members cannot both be set
All these validation failures are not valid.
3) Additionally, I think it would be more readable and less error prone that if
instead of this blob:
+ are_local_members_to_be_set = 'usercategory' in _entry_attrs or \
+ 'hostcategory' in _entry_attrs or \
+ 'memberuser' in _entry_attrs or \
+ 'memberhost' in _entry_attrs
You would use something like that:
are_local_members_to_be_set = any(attr in _entry_attrs
for attr in ('usercategory',
'hostcategory',
'memberuser',
'memberhost'))
Martin
1.) Done.
2.) Corrected.
3.) Fixed.
Tomas
>From d77004bce8644b0f3a64860174539c9a2d640ef1 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 6 Sep 2012 07:03:42 -0400
Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule
Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.
https://fedorahosted.org/freeipa/ticket/2983
---
ipalib/plugins/selinuxusermap.py | 49 +++++--
tests/test_xmlrpc/test_selinuxusermap_plugin.py | 179 ++++++++++++++++++++++++
2 files changed, 216 insertions(+), 12 deletions(-)
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 13bbb58ec0e6b7bd4275be17198c7452090a0781..131a83ce5674628041601e98028a013d47b40a4a 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -242,8 +242,21 @@ class selinuxusermap_add(LDAPCreate):
# rules are enabled by default
entry_attrs['ipaenabledflag'] = 'TRUE'
validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
- if 'seealso' in options:
- entry_attrs['seealso'] = self.obj._normalize_seealso(options['seealso'])
+
+ # hbacrule is not allowed when usercat or hostcat is set
+ is_to_be_set = lambda x : x in entry_attrs and entry_attrs[x]!=None
+
+ are_local_members_to_be_set = any(is_to_be_set(attr)
+ for attr in ('usercategory',
+ 'hostcategory'))
+
+ is_hbacrule_to_be_set = is_to_be_set('seealso')
+
+ if is_hbacrule_to_be_set and are_local_members_to_be_set:
+ raise errors.MutuallyExclusiveError(reason=notboth_err)
+
+ if is_hbacrule_to_be_set:
+ entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso'])
return dn
@@ -276,18 +289,30 @@ class selinuxusermap_mod(LDAPUpdate):
except errors.NotFound:
self.obj.handle_not_found(*keys)
- if 'seealso' in options and ('usercategory' in _entry_attrs or
- 'hostcategory' in _entry_attrs or
- 'memberuser' in _entry_attrs or
- 'memberhost' in _entry_attrs):
+ # makes sure the local members and hbacrule is not set at the same time
+ # memberuser or memberhost could have been set using --setattr
+ is_to_be_set = lambda x: (x in _entry_attrs and _entry_attrs[x]!=None) or \
+ (x in entry_attrs and entry_attrs[x]!=None)
+
+ are_local_members_to_be_set = any(is_to_be_set(attr)
+ for attr in ('usercategory',
+ 'hostcategory',
+ 'memberuser',
+ 'memberhost'))
+
+ is_hbacrule_to_be_set = is_to_be_set('seealso')
+
+ # this can disable all modifications if hbacrule and local members were
+ # set at the same time bypassing this commad, e.g. using ldapmodify
+ if are_local_members_to_be_set and is_hbacrule_to_be_set:
raise errors.MutuallyExclusiveError(reason=notboth_err)
- if is_all(options, 'usercategory') and 'memberuser' in entry_attrs:
- raise errors.MutuallyExclusiveError(reason=_("user category "
- "cannot be set to 'all' while there are allowed users"))
- if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs:
- raise errors.MutuallyExclusiveError(reason=_("host category "
- "cannot be set to 'all' while there are allowed hosts"))
+ if is_all(entry_attrs, 'usercategory') and 'memberuser' in entry_attrs:
+ raise errors.MutuallyExclusiveError(reason="user category "
+ "cannot be set to 'all' while there are allowed users")
+ if is_all(entry_attrs, 'hostcategory') and 'memberhost' in entry_attrs:
+ raise errors.MutuallyExclusiveError(reason="host category "
+ "cannot be set to 'all' while there are allowed hosts")
if 'ipaselinuxuser' in entry_attrs:
validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser'])
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index b448294137d664ca7beca6552db612808fef1f61..1aa3c793ace9cb13b3962888b6548d8ed875e2de 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -663,4 +663,183 @@ class test_selinuxusermap(Declarative):
error=u'Invalid MLS value, must match s[0-15](-s[0-15])'),
),
+ dict(
+ desc='Create rule with both --hbacrule and --usercat set',
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,usercategory=u'all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Create rule with both --hbacrule and --hostcat set',
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,hostcategory=u'all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Create rule with both --hbacrule and --usercat set via setattr',
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'usercategory=all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Create rule with both --hbacrule and --hostcat set via setattr',
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1,setattr=u'hostcategory=all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Create rule %r with --hbacrule' % rule1,
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,seealso=hbacrule1)
+ ),
+ expected=dict(
+ value=rule1,
+ summary=u'Added SELinux User Map "%s"' % rule1,
+ result=dict(
+ cn=[rule1],
+ ipaselinuxuser=[selinuxuser1],
+ objectclass=objectclasses.selinuxusermap,
+ ipauniqueid=[fuzzy_uuid],
+ ipaenabledflag = [u'TRUE'],
+ dn=fuzzy_selinuxusermapdn,
+ seealso=hbacrule1
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Add an --usercat to %r that has HBAC set' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(usercategory=u'all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Add an --hostcat to %r that has HBAC set' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(hostcategory=u'all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Add an usercat via setattr to %r that has HBAC set' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(setattr=u'usercategory=all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Add an hostcat via setattr to %r that has HBAC set' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(setattr=u'hostcategory=all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Delete %r' % rule1,
+ command=('selinuxusermap_del', [rule1], {}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=rule1,
+ summary=u'Deleted SELinux User Map "%s"' % rule1,
+ )
+ ),
+
+ dict(
+ desc='Create rule %r with usercat and hostcat set' % rule1,
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1,usercategory=u'all',hostcategory=u'all')
+ ),
+ expected=dict(
+ value=rule1,
+ summary=u'Added SELinux User Map "%s"' % rule1,
+ result=dict(
+ cn=[rule1],
+ ipaselinuxuser=[selinuxuser1],
+ objectclass=objectclasses.selinuxusermap,
+ ipauniqueid=[fuzzy_uuid],
+ ipaenabledflag = [u'TRUE'],
+ dn=fuzzy_selinuxusermapdn,
+ usercategory = [u'all'],
+ hostcategory = [u'all']
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Add HBAC rule to %r that has usercat and hostcat' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1)
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Delete %r' % rule1,
+ command=('selinuxusermap_del', [rule1], {}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=rule1,
+ summary=u'Deleted SELinux User Map "%s"' % rule1,
+ )
+ ),
+
+ dict(
+ desc='Create rule %r' % rule1,
+ command=(
+ 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=selinuxuser1)
+ ),
+ expected=dict(
+ value=rule1,
+ summary=u'Added SELinux User Map "%s"' % rule1,
+ result=dict(
+ cn=[rule1],
+ ipaselinuxuser=[selinuxuser1],
+ objectclass=objectclasses.selinuxusermap,
+ ipauniqueid=[fuzzy_uuid],
+ ipaenabledflag = [u'TRUE'],
+ dn=fuzzy_selinuxusermapdn,
+ ),
+ ),
+ ),
+
+ dict(
+ desc='Add HBAC rule, hostcat and usercat to %r' % rule1,
+ command=(
+ 'selinuxusermap_mod', [rule1], dict(seealso=hbacrule1,usercategory=u'all',hostcategory=u'all')
+ ),
+ expected=errors.MutuallyExclusiveError(
+ reason=u'HBAC rule and local members cannot both be set'),
+ ),
+
+ dict(
+ desc='Delete %r' % rule1,
+ command=('selinuxusermap_del', [rule1], {}),
+ expected=dict(
+ result=dict(failed=u''),
+ value=rule1,
+ summary=u'Deleted SELinux User Map "%s"' % rule1,
+ )
+ ),
]
--
1.7.11.4
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel