Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
On 09/26/2012 08:31 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/26/2012 12:32 PM, Petr Viktorin wrote: On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?' [...] SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here? Default SELinux user: unconfined_u:s0-s0:c0.c1023 PAC type: MS-PAC Obviously extra info should not be allowed. Is s5-s1 or c4.c3 valid? Can the first value be higher than the second? AFAIK (I'm not an expert though), MCS doesn't allow dashes, so c0-c4 should not be allowed. Chains like c1.c2.c3 also don't look right. ... Also, the MLS/MCS numeric limits are not enforced correctly: xguest_u:s92:c9,c0 passes. Right. We can create a ticket to harden the validation if we want. So far, the purpose of this ticket/patch is to make validation of config values consistent with selinuxusermap plugin. I will let Rob to chime in, but I would keep this patch as is. Martin Yes, please open another ticket for the validation issues. rob https://fedorahosted.org/freeipa/ticket/3119 Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
On 09/27/2012 09:59 AM, Martin Kosek wrote: On 09/26/2012 08:31 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/26/2012 12:32 PM, Petr Viktorin wrote: On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?' [...] SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here? Default SELinux user: unconfined_u:s0-s0:c0.c1023 PAC type: MS-PAC Obviously extra info should not be allowed. Is s5-s1 or c4.c3 valid? Can the first value be higher than the second? AFAIK (I'm not an expert though), MCS doesn't allow dashes, so c0-c4 should not be allowed. Chains like c1.c2.c3 also don't look right. ... Also, the MLS/MCS numeric limits are not enforced correctly: xguest_u:s92:c9,c0 passes. Right. We can create a ticket to harden the validation if we want. So far, the purpose of this ticket/patch is to make validation of config values consistent with selinuxusermap plugin. I will let Rob to chime in, but I would keep this patch as is. Martin Yes, please open another ticket for the validation issues. rob https://fedorahosted.org/freeipa/ticket/3119 Martin ACK for the patch -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
On 09/27/2012 10:42 AM, Petr Viktorin wrote: On 09/27/2012 09:59 AM, Martin Kosek wrote: On 09/26/2012 08:31 PM, Rob Crittenden wrote: Martin Kosek wrote: On 09/26/2012 12:32 PM, Petr Viktorin wrote: On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?' [...] SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here? Default SELinux user: unconfined_u:s0-s0:c0.c1023 PAC type: MS-PAC Obviously extra info should not be allowed. Is s5-s1 or c4.c3 valid? Can the first value be higher than the second? AFAIK (I'm not an expert though), MCS doesn't allow dashes, so c0-c4 should not be allowed. Chains like c1.c2.c3 also don't look right. ... Also, the MLS/MCS numeric limits are not enforced correctly: xguest_u:s92:c9,c0 passes. Right. We can create a ticket to harden the validation if we want. So far, the purpose of this ticket/patch is to make validation of config values consistent with selinuxusermap plugin. I will let Rob to chime in, but I would keep this patch as is. Martin Yes, please open another ticket for the validation issues. rob https://fedorahosted.org/freeipa/ticket/3119 Martin ACK for the patch Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
Martin Kosek wrote: On 09/26/2012 12:32 PM, Petr Viktorin wrote: On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?' [...] SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here? Default SELinux user: unconfined_u:s0-s0:c0.c1023 PAC type: MS-PAC Obviously extra info should not be allowed. Is s5-s1 or c4.c3 valid? Can the first value be higher than the second? AFAIK (I'm not an expert though), MCS doesn't allow dashes, so c0-c4 should not be allowed. Chains like c1.c2.c3 also don't look right. ... Also, the MLS/MCS numeric limits are not enforced correctly: xguest_u:s92:c9,c0 passes. Right. We can create a ticket to harden the validation if we want. So far, the purpose of this ticket/patch is to make validation of config values consistent with selinuxusermap plugin. I will let Rob to chime in, but I would keep this patch as is. Martin Yes, please open another ticket for the validation issues. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.
https://fedorahosted.org/freeipa/ticket/2993
---
Note: I removed the previous validate construct:
-validate = dict(options)
-validate.update(entry_attrs)
... as entry_attrs contains both values set via standard options and *attr.
Martin
From 296eedc7cfd258b9e5eaf4f182b1a9625f5bf1a1 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 25 Sep 2012 13:46:56 +0200
Subject: [PATCH] Validate SELinux users in config-mod
config-mod is capable of changing default SELinux user map order
and a default SELinux user. Validate the new config values to
prevent bogus default SELinux users to be assigned to IPA users.
https://fedorahosted.org/freeipa/ticket/2993
---
ipalib/plugins/config.py| 49 +
tests/test_xmlrpc/test_config_plugin.py | 44 -
2 files changed, 69 insertions(+), 24 deletions(-)
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index e02519d5759f4e4a6d6a7075fe896f8b2e69b451..1c62e0d942231fac442ee2c1f31431003c08e283 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -21,6 +21,7 @@
from ipalib import api
from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam
from ipalib.plugins.baseldap import *
+from ipalib.plugins.selinuxusermap import validate_selinuxuser
from ipalib import _
from ipalib.errors import ValidationError
@@ -258,30 +259,44 @@ class config_mod(LDAPUpdate):
error=_('%(obj)s default attribute %(attr)s would not be allowed!') \
% dict(obj=obj, attr=obj_attr))
-# Combine the current entry and options into a single object to
-# evaluate. This covers changes via setattr and options.
-# Note: this is not done in a validator because we may be changing
-# the default user and map list at the same time and we don't
-# have both values in a validator.
-validate = dict(options)
-validate.update(entry_attrs)
-if ('ipaselinuxusermapdefault' in validate or
- 'ipaselinuxusermaporder' in validate):
+if ('ipaselinuxusermapdefault' in entry_attrs or
+ 'ipaselinuxusermaporder' in entry_attrs):
config = None
failedattr = 'ipaselinuxusermaporder'
-if 'ipaselinuxusermapdefault' in validate:
-defaultuser = validate['ipaselinuxusermapdefault']
+
+if 'ipaselinuxusermapdefault' in entry_attrs:
+defaultuser = entry_attrs['ipaselinuxusermapdefault']
failedattr = 'ipaselinuxusermapdefault'
+
+# validate the new default user first
+if defaultuser is not None:
+error_message = validate_selinuxuser(_, defaultuser)
+
+if error_message:
+raise errors.ValidationError(name='ipaselinuxusermapdefault',
+error=error_message)
+
else:
config = ldap.get_ipa_config()[1]
-if 'ipaselinuxusermapdefault' in config:
-defaultuser = config['ipaselinuxusermapdefault'][0]
-else:
-defaultuser = None
+defaultuser = config.get('ipaselinuxusermapdefault', [None])[0]
-if 'ipaselinuxusermaporder' in validate:
-order = validate['ipaselinuxusermaporder']
+if 'ipaselinuxusermaporder' in entry_attrs:
+order = entry_attrs['ipaselinuxusermaporder']
userlist = order.split('$')
+
+# validate the new user order first
+for user in userlist:
+if not user:
+raise errors.ValidationError(name='ipaselinuxusermaporder',
+error=_('A list of SELinux users delimited by $ expected'))
+
+error_message = validate_selinuxuser(_, user)
+if error_message:
+error_message = _(SELinux user '%(user)s' is not
+valid: %(error)s) % dict(user=user,
+ error=error_message)
+raise errors.ValidationError(name='ipaselinuxusermaporder',
+error=error_message)
else:
if not config:
config = ldap.get_ipa_config()[1]
diff --git a/tests/test_xmlrpc/test_config_plugin.py b/tests/test_xmlrpc/test_config_plugin.py
index 6d83f047e0e647270712003d77c40f3c1014f90f..3d9a31daf38b4b8a28febee90f5812cf78538ee7 100644
--- a/tests/test_xmlrpc/test_config_plugin.py
+++ b/tests/test_xmlrpc/test_config_plugin.py
@@
