Restrict the SELinux user map user MLS value to 0-1023

https://fedorahosted.org/freeipa/ticket/3001
author: Rob Crittenden <rcritten@redhat.com> 2012-08-28 17:14:28 -0400
committer: Martin Kosek <mkosek@redhat.com> 2012-08-29 09:29:08 +0200
commit: 785e80c4fc0804812a148977cf42ea1f626ecece (patch)
tree: 6b0e478a55f777be5fc97f388f5c61c1998b4630 /ipalib
parent: 5e277a97a6d115d52a840649626ed9537a23ba78 (diff)
download: freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.tar.gz
freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.tar.xz
freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index e4cebc1e4..d793987aa 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -97,7 +97,8 @@ def validate_selinuxuser(ugettext, user):
         return _('Invalid SELinux user name, only a-Z and _ are allowed')
     if not mls or not regex_mls.match(mls):
         return _('Invalid MLS value, must match s[0-15](-s[0-15])')
-    if mcs and not regex_mcs.match(mcs):
+    m = regex_mcs.match(mcs)
+    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
         return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]')
 
     return None
author	Rob Crittenden <rcritten@redhat.com>	2012-08-28 17:14:28 -0400
committer	Martin Kosek <mkosek@redhat.com>	2012-08-29 09:29:08 +0200
commit	785e80c4fc0804812a148977cf42ea1f626ecece (patch)
tree	6b0e478a55f777be5fc97f388f5c61c1998b4630 /ipalib
parent	5e277a97a6d115d52a840649626ed9537a23ba78 (diff)
download	freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.tar.gz freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.tar.xz freeipa-785e80c4fc0804812a148977cf42ea1f626ecece.zip