From 29a5d16b2dbc87a959dc953cfd48d584408c07a7 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 10 Sep 2012 17:07:54 -0400
Subject: Set SELinux default context to unconfined_u:s0-s0:c0.c1023

Don't require ipaselinuxdefaultuser to be set. If this is unset then
SSSD will use the system default.

https://fedorahosted.org/freeipa/ticket/3045
---
 install/share/bootstrap-template.ldif | 2 +-
 install/updates/50-ipaconfig.update   | 2 +-
 ipalib/plugins/config.py              | 9 ++++++---
 3 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index aac3f059..24804e47 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -383,7 +383,7 @@ ipaDefaultEmailDomain: $DOMAIN
 ipaMigrationEnabled: FALSE
 ipaConfigString: AllowNThash
 ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-ipaSELinuxUserMapDefault: guest_u:s0
+ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 
 dn: cn=cosTemplates,cn=accounts,$SUFFIX
 changetype: add
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index b08df180..0992db4e 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,5 +1,5 @@
 dn: cn=ipaConfig,cn=etc,$SUFFIX
 add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
-add:ipaSELinuxUserMapDefault: guest_u:s0
+add:ipaSELinuxUserMapDefault: unconfined_u:s0-s0:c0.c1023
 
 add:ipaUserObjectClasses: ipasshuser
diff --git a/ipalib/plugins/config.py b/ipalib/plugins/config.py
index ef0fd79f..e02519d5 100644
--- a/ipalib/plugins/config.py
+++ b/ipalib/plugins/config.py
@@ -185,7 +185,7 @@ class config(LDAPObject):
             label=_('SELinux user map order'),
             doc=_('Order in increasing priority of SELinux users, delimited by $'),
         ),
-        Str('ipaselinuxusermapdefault',
+        Str('ipaselinuxusermapdefault?',
             label=_('Default SELinux user'),
             doc=_('Default SELinux user when no match is found in SELinux map rule'),
         ),
@@ -274,7 +274,10 @@ class config_mod(LDAPUpdate):
                 failedattr = 'ipaselinuxusermapdefault'
             else:
                 config = ldap.get_ipa_config()[1]
-                defaultuser = config['ipaselinuxusermapdefault'][0]
+                if 'ipaselinuxusermapdefault' in config:
+                    defaultuser = config['ipaselinuxusermapdefault'][0]
+                else:
+                    defaultuser = None
 
             if 'ipaselinuxusermaporder' in validate:
                 order = validate['ipaselinuxusermaporder']
@@ -284,7 +287,7 @@ class config_mod(LDAPUpdate):
                     config = ldap.get_ipa_config()[1]
                 order = config['ipaselinuxusermaporder']
                 userlist = order[0].split('$')
-            if defaultuser not in userlist:
+            if defaultuser and defaultuser not in userlist:
                 raise errors.ValidationError(name=failedattr,
                     error=_('SELinux user map default user not in order list'))
 
-- 
cgit