freeipa

Clone
Source Code
GIT

#2993 Syntax check should be done on selinuxusermaporder attribute
Closed: Fixed None Opened 11 years ago by aakkiang.

Closed: Fixed
Reopen Issue

ipa config-mod for ipaselinuxusermaporder attribute should perform a syntax check http://www.freeipa.org/page/SELinux_user_mapping#SELinux_user_syntax

In the following example, 1 and 2 does not do a syntax check, where as 3 does.

Expected result: 1 and 2 should perform syntax check.

1. # ipa config-mod --ipaselinuxusermaporder=guest_u:s0\$test234:s0
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$test234:s0
  Default SELinux user: guest_u:s0
  PAC type: MS-PAC

2. # ipa config-mod --setattr=ipaselinuxusermaporder=guest_u:s0\$test123:s0
  Maximum username length: 32
  Home directory base: /home
  Default shell: /bin/sh
  Default users group: ipausers
  Default e-mail domain: testrelm.com
  Search time limit: 2
  Search size limit: 100
  User search fields: uid,givenname,sn,telephonenumber,ou,title
  Group search fields: cn,description
  Enable migration mode: FALSE
  Certificate Subject base: O=TESTRELM.COM
  Password Expiration Notification (days): 4
  Password plugin features: AllowNThash
  SELinux user map order: guest_u:s0$test123:s0
  Default SELinux user: guest_u:s0
  PAC type: MS-PAC

3. # ipa selinuxusermap-add --selinuxuser=test123:s0 mytest1
ipa: ERROR: invalid 'selinuxuser': Invalid SELinux user name, only a-Z and _ are allowed

We should test to see what happens if a bad SELinux user context gets assigned. What does sssd/SELinux do with it?

Replying to [comment:2 rcritten]:

We should test to see what happens if a bad SELinux user context gets assigned. What does sssd/SELinux do with it?

Jakub, can SSSD cope with this situation?

The SSSD doesn't do any validation whatsoever right now.

I've asked the selinux-policy maintainer in a private e-mail whether the libselinux library offers any API that could be used for validation.

Patch freeipa-mkosek-313-validate-selinux-users-in-config-mod.patch sent for review

master: 256024d[[BR]]
ipa-3-0: 85f7076

Replying to [comment:5 jhrozek]:

The SSSD doesn't do any validation whatsoever right now.

I've asked the selinux-policy maintainer in a private e-mail whether the libselinux library offers any API that could be used for validation.

It was recommended by Dan Walsh that we just pass whatever we get from the server to the libselinux on the client and let SELinux do the right thing. I tend to agree with him.

We could, however, use security_canonicalize_context() to try to validate the context and issue a warning to the logs. I've opened https://fedorahosted.org/sssd/ticket/1550 to track it as an enhancement.

Metadata Update from @aakkiang:
- Issue assigned to mkosek
- Issue set to the milestone: FreeIPA 3.0 RC2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
None
None
None
0
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.