Jakub Hrozek wrote:
On Mon, Sep 10, 2012 at 05:38:47PM -0400, Rob Crittenden wrote:
We've decided to change the default SELinux user map user to the OS
default which is unconfined_u. It would be too drastic to go from
one extreme to another.

rob

How does one set an "empty default" that the SSSD would treat as "don't
create any login file whatsoever" ?

Patch updated to support that.

rob

>From bfd6f7215f35f203ee9c7535cb26a854e7a910b5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Mon, 10 Sep 2012 17:07:54 -0400
Subject: [PATCH] Set SELinux default context to unconfined_u:s0-s0:c0.c1023

Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.

https://fedorahosted.org/freeipa/ticket/3045
---
 install/share/bootstrap-template.ldif | 2 +-
 install/updates/50-ipaconfig.update   | 2 +-
 ipalib/plugins/config.py              | 9 ++++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index aac3f059ad30130e085bfcf37a7a1a6f1b49dc8c..24804e475427ad7e5b2ae7c69d6cfb54cafbef38 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -383,7 +383,7 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-ipaSELinuxUserMapDefault: guest_u:s0
+ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 
 dn: cn=cosTemplates,cn=accounts,$SUFFIX
 changetype: add
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index b08df1806c4d2561fd5b24263e0f1c16f8b6f72f..0992db4ec92c3cc254bf8d05892dd4abd9988d8c 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,5 +1,5 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-add:ipaSELinuxUserMapDefault: guest_u:s0
+add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 
 add:ipaUserObjectClasses: ipasshuser
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index ef0fd79facd644b485831c9a0c6e6d5574c71936..e02519d5759f4e4a6d6a7075fe896f8b2e69b451 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -185,7 +185,7 @@ class config(LDAPObject):
             label=_('SELinux user map order'),
             doc=_('Order in increasing priority of SELinux users, delimited by $'),
         ),
-        Str('ipaselinuxusermapdefault',
+        Str('ipaselinuxusermapdefault?',
             label=_('Default SELinux user'),
             doc=_('Default SELinux user when no match is found in SELinux map rule'),
         ),
@@ -274,7 +274,10 @@ class config_mod(LDAPUpdate):
                 failedattr = 'ipaselinuxusermapdefault'
             else:
                 config = ldap.get_ipa_config()[1]
-                defaultuser = config['ipaselinuxusermapdefault'][0]
+                if 'ipaselinuxusermapdefault' in config:
+                    defaultuser = config['ipaselinuxusermapdefault'][0]
+                else:
+                    defaultuser = None
 
             if 'ipaselinuxusermaporder' in validate:
                 order = validate['ipaselinuxusermaporder']
@@ -284,7 +287,7 @@ class config_mod(LDAPUpdate):
                     config = ldap.get_ipa_config()[1]
                 order = config['ipaselinuxusermaporder']
                 userlist = order[0].split('$')
-            if defaultuser not in userlist:
+            if defaultuser and defaultuser not in userlist:
                 raise errors.ValidationError(name=failedattr,
                     error=_('SELinux user map default user not in order list'))
 
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to