While creating an "SELinux User Map" in FreeIPA WebUI, an "SELinux User" is required.
I was playing with the public demo to see how SELinux maps to HBAC rules, and I have no idea what an "SELinux User" is. I just enter "user" and get the following error message:
invalid 'selinuxuser': Invalid MLS value, must match s[0-15](-s[0-15])
Alright, I try to comply and enter something that could match, assuming I understand the pattern syntax: "s1-s1", or even just "s1". However, I get this message in return:
invalid 'selinuxuser': Invalid SELinux user name, only a-Z and _ are allowed
Those messages seem contradictory to me.
It would be good to have a more useful and consistent error message in this case or a link to a help article, or at least some hint on the form. Otherwise it is hard to find what is actually required there, without having good knowledge of SELinux, I assume, which I lack.
I'm still looking, so I would appreciate if somebody could answer briefly what I can enter there, apart from actually looking at the issue. Thank you!
I was able to get through with unconfined_u:s0-s0:c0.c1023, so no answer to the last question is necessary. Thank you.
unconfined_u:s0-s0:c0.c1023
From the code:
An SELinux user has 3 components: user:MLS:MCS. user and MLS are required. user traditionally ends with _u but this is not mandatory. The regex is ^[a-zA-Z][a-zA-Z_]* The MLS part can only be: Level: s[0-15](-s[0-15]) Then MCS could be c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Meaning s0 s0-s1 s0-s15:c0.c1023 s0-s1:c0,c2,c15.c26 s0-s0:c0.c1023
So your first value, "user", lacked both MLS and MCS (the parser stops once it hits an error).
For the second value, "s1-s1", it contained the illegal character -.
Thanks a lot, Robert! Yeah, I figured out by now, that it was talking about different subparts. Perhaps something like your explanation could be put into those error messages, or a help text, or the form itself?
There is definitely room for improvement.
This bit should should be added to main help of the cli, I'm not sure what the UI does with that.
Expanding error messages might be challenging due to length, but perhaps a sample could be included showing expected form.
That would do fine, thank you!
Metadata Update from @nkondras: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5 backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.