rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity
0a4aede6a1
ipa/SOURCES/0002-Fix-test_webui.test_selinuxusermap.patch
CentOS Sources 0a4aede6a1 import ipa-4.8.0-10.module+el8.1.0+4107+4a66eb87
2021-09-10 11:03:44 +00:00

125 lines
5.9 KiB
Diff
Raw Blame History

From 96af5394c210e637a5ab81d6925be3b0a429fc08 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Fri, 5 Jul 2019 14:39:17 +0300
Subject: [PATCH] Fix `test_webui.test_selinuxusermap`
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/updates/50-ipaconfig.update | 1 +
ipaplatform/base/constants.py | 10 +++++-----
ipaserver/install/ldapupdate.py | 3 +++
ipatests/test_integration/test_winsyncmigrate.py | 2 +-
ipatests/test_webui/data_selinuxusermap.py | 4 ++--
ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 4 ++--
6 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 2e1c5c357..35e154b4e 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,4 +1,5 @@
dn: cn=ipaConfig,cn=etc,$SUFFIX
+replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index cdb72e74a..eac60cac3 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -62,11 +62,11 @@ class BaseConstantsNamespace:
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
SELINUX_USERMAP_ORDER = (
"guest_u:s0"
- "$$xguest_u:s0"
- "$$user_u:s0"
- "$$staff_u:s0-s0:c0.c1023"
- "$$sysadm_u:s0-s0:c0.c1023"
- "$$unconfined_u:s0-s0:c0.c1023"
+ "$xguest_u:s0"
+ "$user_u:s0"
+ "$staff_u:s0-s0:c0.c1023"
+ "$sysadm_u:s0-s0:c0.c1023"
+ "$unconfined_u:s0-s0:c0.c1023"
)
SSSD_USER = "sssd"
# WSGI module override, only used on Fedora
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index d9e47dcc0..0cdea6a82 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -322,6 +322,9 @@ class LDAPUpdate:
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
platformconstants.SELINUX_USERMAP_DEFAULT
+ if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
+ self.sub_dict["SELINUX_USERMAP_ORDER"] = \
+ platformconstants.SELINUX_USERMAP_ORDER
self.api = create_api(mode=None)
self.api.bootstrap(in_server=True,
context='updates',
diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py
index 593fc2065..be9f44072 100644
--- a/ipatests/test_integration/test_winsyncmigrate.py
+++ b/ipatests/test_integration/test_winsyncmigrate.py
@@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
ipa_group = 'ipa_group'
ad_user = 'testuser'
default_shell = platformconstants.DEFAULT_SHELL
- selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
+ selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
test_role = 'test_role'
test_hbac_rule = 'test_hbac_rule'
test_selinux_map = 'test_selinux_map'
diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py
index ca7b1dcdd..312e7592f 100644
--- a/ipatests/test_webui/data_selinuxusermap.py
+++ b/ipatests/test_webui/data_selinuxusermap.py
@@ -5,8 +5,8 @@
from ipaplatform.constants import constants as platformconstants
# for example, user_u:s0
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
index 0b73992aa..e5b23bd4d 100644
--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
import pytest
rule1 = u'selinuxrule1'
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
platformconstants.SELINUX_MCS_REGEX,
--
2.21.0
Reference in New Issue View Git Blame Copy Permalink