From 785e80c4fc0804812a148977cf42ea1f626ecece Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Aug 29 2012 07:29:08 +0000
Subject: Restrict the SELinux user map user MLS value to 0-1023


https://fedorahosted.org/freeipa/ticket/3001

---

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index e4cebc1..d793987 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -97,7 +97,8 @@ def validate_selinuxuser(ugettext, user):
         return _('Invalid SELinux user name, only a-Z and _ are allowed')
     if not mls or not regex_mls.match(mls):
         return _('Invalid MLS value, must match s[0-15](-s[0-15])')
-    if mcs and not regex_mcs.match(mcs):
+    m = regex_mcs.match(mcs)
+    if mcs and (not m or (m.group(3) and (int(m.group(3)) > 1023))):
         return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]')
 
     return None
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index 06ad751..b448294 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -644,6 +644,17 @@ class test_selinuxusermap(Declarative):
 
 
         dict(
+            desc='Create rule with invalid MLS xguest_u:s0:c0.c1028',
+            command=(
+                'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028')
+            ),
+            expected=errors.ValidationError(name='selinuxuser',
+                error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
+                    u'and/or c[0-1023]-c[0-c0123]'),
+        ),
+
+
+        dict(
             desc='Create rule with invalid user via setattr',
             command=(
                 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny')