[Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
Rob Crittenden
rcritten at redhat.com
Wed Sep 26 18:31:03 UTC 2012
Martin Kosek wrote:
> On 09/26/2012 12:32 PM, Petr Viktorin wrote:
>> On 09/26/2012 12:25 PM, Petr Viktorin wrote:
>>>
>>> I found strange behavior in validate_selinuxuser. Perhaps it's material
>>> for another ticket. This command passes validation:
>>>
>>> $ ./ipa config_mod
>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>> --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why
>>>
>>> is stuff allowed here?'
>>> [...]
>>> SELinux user map order:
>>> unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff
>>> allowed here?
>>> Default SELinux user: unconfined_u:s0-s0:c0.c1023
>>> PAC type: MS-PAC
>>
>>>
>>> Obviously extra info should not be allowed.
>>> Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second?
>>> AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4"
>>> should not be allowed. Chains like "c1.c2.c3" also don't look right.
>>
>>
>> ... Also, the MLS/MCS numeric limits are not enforced correctly:
>> "xguest_u:s92:c999999999,c0" passes.
>>
>>
>>
>
> Right. We can create a ticket to harden the validation if we want. So far, the
> purpose of this ticket/patch is to make validation of config values consistent
> with selinuxusermap plugin. I will let Rob to chime in, but I would keep this
> patch as is.
>
> Martin
>
Yes, please open another ticket for the validation issues.
rob
More information about the Freeipa-devel
mailing list