On 09/27/2012 10:42 AM, Petr Viktorin wrote: > On 09/27/2012 09:59 AM, Martin Kosek wrote: >> On 09/26/2012 08:31 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On 09/26/2012 12:32 PM, Petr Viktorin wrote: >>>>> On 09/26/2012 12:25 PM, Petr Viktorin wrote: >>>>>> >>>>>> I found strange behavior in validate_selinuxuser. Perhaps it's material >>>>>> for another ticket. This command passes validation: >>>>>> >>>>>> $ ./ipa config_mod >>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 >>>>>> --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why >>>>>> >>>>>> >>>>>> >>>>>> is stuff allowed here?' >>>>>> [...] >>>>>> SELinux user map order: >>>>>> unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff >>>>>> allowed here? >>>>>> Default SELinux user: unconfined_u:s0-s0:c0.c1023 >>>>>> PAC type: MS-PAC >>>>> >>>>>> >>>>>> Obviously extra info should not be allowed. >>>>>> Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the >>>>>> second? >>>>>> AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4" >>>>>> should not be allowed. Chains like "c1.c2.c3" also don't look right. >>>>> >>>>> >>>>> ... Also, the MLS/MCS numeric limits are not enforced correctly: >>>>> "xguest_u:s92:c999999999,c0" passes. >>>>> >>>>> >>>>> >>>> >>>> Right. We can create a ticket to harden the validation if we want. So far, >>>> the >>>> purpose of this ticket/patch is to make validation of config values >>>> consistent >>>> with selinuxusermap plugin. I will let Rob to chime in, but I would keep >>>> this >>>> patch as is. >>>> >>>> Martin >>>> >>> >>> Yes, please open another ticket for the validation issues. >>> >>> rob >> >> https://fedorahosted.org/freeipa/ticket/3119 >> >> Martin >> > > ACK for the patch >
Pushed to master, ipa-3-0. Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
