From 256024db0a1cd2fb39445f9760bc8a49abb7f15c Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 25 Sep 2012 13:46:56 +0200 Subject: Validate SELinux users in config-mod config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993 --- tests/test_xmlrpc/test_config_plugin.py | 44 +++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 7 deletions(-) (limited to 'tests') diff --git a/tests/test_xmlrpc/test_config_plugin.py b/tests/test_xmlrpc/test_config_plugin.py index 6d83f047..3d9a31da 100644 --- a/tests/test_xmlrpc/test_config_plugin.py +++ b/tests/test_xmlrpc/test_config_plugin.py @@ -61,31 +61,61 @@ class test_config(Declarative): ), dict( - desc='Try to set invalid ipaselinuxusermapdefault', + desc='Try to set ipaselinuxusermapdefault not in selinux order list', command=('config_mod', [], dict(ipaselinuxusermapdefault=u'unknown_u:s0')), - expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', + error='SELinux user map default user not in order list'), + ), + + dict( + desc='Try to set invalid ipaselinuxusermapdefault', + command=('config_mod', [], + dict(ipaselinuxusermapdefault=u'foo')), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', + error='Invalid MLS value, must match s[0-15](-s[0-15])'), ), dict( desc='Try to set invalid ipaselinuxusermapdefault with setattr', command=('config_mod', [], dict(setattr=u'ipaselinuxusermapdefault=unknown_u:s0')), - expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', + error='SELinux user map default user not in order list'), ), dict( - desc='Try to set invalid ipaselinuxusermaporder', + desc='Try to set ipaselinuxusermaporder without ipaselinuxusermapdefault out of it', command=('config_mod', [], dict(ipaselinuxusermaporder=u'notfound_u:s0')), - expected=errors.ValidationError(name='ipaselinuxusermaporder', error='SELinux user map default user not in order list'), + expected=errors.ValidationError(name='ipaselinuxusermaporder', + error='SELinux user map default user not in order list'), + ), + + dict( + desc='Try to set invalid ipaselinuxusermaporder', + command=('config_mod', [], + dict(ipaselinuxusermaporder=u'$')), + expected=errors.ValidationError(name='ipaselinuxusermaporder', + error='A list of SELinux users delimited by $ expected'), + ), + + dict( + desc='Try to set invalid selinux user in ipaselinuxusermaporder', + command=('config_mod', [], + dict(ipaselinuxusermaporder=u'unconfined_u:s0-s0:c0.c1023$baduser$guest_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermaporder', + error='SELinux user \'baduser\' is not valid: Invalid MLS ' + 'value, must match s[0-15](-s[0-15])'), ), dict( desc='Try to set new selinux order and invalid default user', command=('config_mod', [], - dict(ipaselinuxusermaporder=u'$xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', ipaselinuxusermapdefault=u'unknown_u:s0')), - expected=errors.ValidationError(name='ipaselinuxusermapdefault', error='SELinux user map default user not in order list'), + dict(ipaselinuxusermaporder=u'xguest_u:s0$guest_u:s0$user_u:s0-s0:c0.c1023$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023', + ipaselinuxusermapdefault=u'unknown_u:s0')), + expected=errors.ValidationError(name='ipaselinuxusermapdefault', + error='SELinux user map default user not in order list'), ), ] -- cgit