diff options
| -rw-r--r-- | ipalib/plugins/selinuxusermap.py | 3 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_selinuxusermap_plugin.py | 11 |
2 files changed, 13 insertions, 1 deletions
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index e4cebc1e4..d793987aa 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -97,7 +97,8 @@ def validate_selinuxuser(ugettext, user): return _('Invalid SELinux user name, only a-Z and _ are allowed') if not mls or not regex_mls.match(mls): return _('Invalid MLS value, must match s[0-15](-s[0-15])') - if mcs and not regex_mcs.match(mcs): + m = regex_mcs.match(mcs) + if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))): return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]') return None diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py index 06ad751ac..b44829413 100644 --- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py +++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py @@ -644,6 +644,17 @@ class test_selinuxusermap(Declarative): dict( + desc='Create rule with invalid MLS xguest_u:s0:c0.c1028', + command=( + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028') + ), + expected=errors.ValidationError(name='selinuxuser', + error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' + + u'and/or c[0-1023]-c[0-c0123]'), + ), + + + dict( desc='Create rule with invalid user via setattr', command=( 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny') |