[Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod
Petr Viktorin
pviktori at redhat.com
Thu Sep 27 08:42:11 UTC 2012
On 09/27/2012 09:59 AM, Martin Kosek wrote:
> On 09/26/2012 08:31 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 09/26/2012 12:32 PM, Petr Viktorin wrote:
>>>> On 09/26/2012 12:25 PM, Petr Viktorin wrote:
>>>>>
>>>>> I found strange behavior in validate_selinuxuser. Perhaps it's material
>>>>> for another ticket. This command passes validation:
>>>>>
>>>>> $ ./ipa config_mod
>>>>> --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023
>>>>> --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why
>>>>>
>>>>>
>>>>> is stuff allowed here?'
>>>>> [...]
>>>>> SELinux user map order:
>>>>> unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff
>>>>> allowed here?
>>>>> Default SELinux user: unconfined_u:s0-s0:c0.c1023
>>>>> PAC type: MS-PAC
>>>>
>>>>>
>>>>> Obviously extra info should not be allowed.
>>>>> Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second?
>>>>> AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4"
>>>>> should not be allowed. Chains like "c1.c2.c3" also don't look right.
>>>>
>>>>
>>>> ... Also, the MLS/MCS numeric limits are not enforced correctly:
>>>> "xguest_u:s92:c999999999,c0" passes.
>>>>
>>>>
>>>>
>>>
>>> Right. We can create a ticket to harden the validation if we want. So far, the
>>> purpose of this ticket/patch is to make validation of config values consistent
>>> with selinuxusermap plugin. I will let Rob to chime in, but I would keep this
>>> patch as is.
>>>
>>> Martin
>>>
>>
>> Yes, please open another ticket for the validation issues.
>>
>> rob
>
> https://fedorahosted.org/freeipa/ticket/3119
>
> Martin
>
ACK for the patch
--
Petr³
More information about the Freeipa-devel
mailing list