[Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
Petr Viktorin
pviktori at redhat.com
Wed Sep 26 10:32:29 UTC 2012
On 09/26/2012 12:25 PM, Petr Viktorin wrote:
>
> I found strange behavior in validate_selinuxuser. Perhaps it's material
> for another ticket. This command passes validation:
>
> $ ./ipa config_mod
> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
> --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why
> is stuff allowed here?'
> [...]
> SELinux user map order:
> unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff
> allowed here?
> Default SELinux user: unconfined_u:s0-s0:c0.c1023
> PAC type: MS-PAC
>
> Obviously extra info should not be allowed.
> Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second?
> AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4"
> should not be allowed. Chains like "c1.c2.c3" also don't look right.
... Also, the MLS/MCS numeric limits are not enforced correctly:
"xguest_u:s92:c999999999,c0" passes.
--
Petr³
More information about the Freeipa-devel
mailing list