diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-08-15 17:21:19 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-08-16 12:52:38 +0200 |
| commit | b5d0a9fcb24c5154919f1b83b2fa2f5999f48ba9 (patch) | |
| tree | 653800b3517fb97679640dfb68ff4e96f658bae5 | |
| parent | bb5788fc7e1278d7d342e403248f7ccc58dfd6ed (diff) | |
| download | freeipa-b5d0a9fcb24c5154919f1b83b2fa2f5999f48ba9.tar.gz freeipa-b5d0a9fcb24c5154919f1b83b2fa2f5999f48ba9.tar.xz freeipa-b5d0a9fcb24c5154919f1b83b2fa2f5999f48ba9.zip | |
Validate default user in ordered list when using setattr, require MLS
The MLS was optional in the format, it should be required.
https://fedorahosted.org/freeipa/ticket/2984
| -rw-r--r-- | ipalib/plugins/selinuxusermap.py | 21 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_selinuxusermap_plugin.py | 14 |
2 files changed, 24 insertions, 11 deletions
diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index 2d689cd74..e4cebc1e4 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -72,10 +72,13 @@ notboth_err = _('HBAC rule and local members cannot both be set') def validate_selinuxuser(ugettext, user): """ - An SELinux user has 3 components: user:MLS:MCS - user traditionally ends with _u but this is not mandatory. Regex is ^[a-zA-Z][a-zA-Z_]* - The MLS part can only be - Level: s[0-15](-s[0-15]) + An SELinux user has 3 components: user:MLS:MCS. user and MLS are required. + user traditionally ends with _u but this is not mandatory. + The regex is ^[a-zA-Z][a-zA-Z_]* + + The MLS part can only be: + Level: s[0-15](-s[0-15]) + Then MCS could be c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Meaning s0 s0-s1 s0-s15:c0.c1023 s0-s1:c0,c2,c15.c26 s0-s0:c0.c1023 @@ -92,7 +95,7 @@ def validate_selinuxuser(ugettext, user): if not regex_name.match(name): return _('Invalid SELinux user name, only a-Z and _ are allowed') - if mls and not regex_mls.match(mls): + if not mls or not regex_mls.match(mls): return _('Invalid MLS value, must match s[0-15](-s[0-15])') if mcs and not regex_mcs.match(mcs): return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]') @@ -283,11 +286,11 @@ class selinuxusermap_mod(LDAPUpdate): if is_all(options, 'hostcategory') and 'memberhost' in entry_attrs: raise errors.MutuallyExclusiveError(reason="host category cannot be set to 'all' while there are allowed hosts") - if 'ipaselinuxuser' in options: - validate_selinuxuser_inlist(ldap, options['ipaselinuxuser']) + if 'ipaselinuxuser' in entry_attrs: + validate_selinuxuser_inlist(ldap, entry_attrs['ipaselinuxuser']) - if 'seealso' in options: - entry_attrs['seealso'] = self.obj._normalize_seealso(options['seealso']) + if 'seealso' in entry_attrs: + entry_attrs['seealso'] = self.obj._normalize_seealso(entry_attrs['seealso']) return dn def post_callback(self, ldap, dn, entry_attrs, *keys, **options): diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py index c1bee54dc..06ad751ac 100644 --- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py +++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py @@ -605,9 +605,9 @@ class test_selinuxusermap(Declarative): dict( desc='Create rule with unknown user %r' % rule1, command=( - 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound') + 'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'notfound:s0:c0') ), - expected=errors.NotFound(reason=u'SELinux user notfound not ' + + expected=errors.NotFound(reason=u'SELinux user notfound:s0:c0 not ' + u'found in ordering list (in config)'), ), @@ -642,4 +642,14 @@ class test_selinuxusermap(Declarative): u'and/or c[0-1023]-c[0-c0123]'), ), + + dict( + desc='Create rule with invalid user via setattr', + command=( + 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny') + ), + expected=errors.ValidationError(name='ipaselinuxuser', + error=u'Invalid MLS value, must match s[0-15](-s[0-15])'), + ), + ] |