Martin Kosek wrote:
On 09/26/2012 12:32 PM, Petr Viktorin wrote:
On 09/26/2012 12:25 PM, Petr Viktorin wrote:

I found strange behavior in validate_selinuxuser. Perhaps it's material
for another ticket. This command passes validation:

$ ./ipa config_mod
--ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
--ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why

is stuff allowed here?'
[...]
    SELinux user map order:
unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff
allowed here?
    Default SELinux user: unconfined_u:s0-s0:c0.c1023
    PAC type: MS-PAC


Obviously extra info should not be allowed.
Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second?
AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4"
should not be allowed. Chains like "c1.c2.c3" also don't look right.


... Also, the MLS/MCS numeric limits are not enforced correctly:
"xguest_u:s92:c999999999,c0" passes.




Right. We can create a ticket to harden the validation if we want. So far, the
purpose of this ticket/patch is to make validation of config values consistent
with selinuxusermap plugin. I will let Rob to chime in, but I would keep this
patch as is.

Martin


Yes, please open another ticket for the validation issues.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to