freeipa

Clone
Source Code
GIT

#7510 validate_selinuxuser does not allow a period in selinux user identifier
Closed: fixed 6 years ago Opened 6 years ago by rcritten.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1562606

Description of problem:

https://github.com/freeipa/freeipa/blob/beb6d74b81eae9965ddc031db1a3826c01d59d3
0/ipaserver/plugins/selinuxusermap.py#L104

The above code seems to do some "sanity" checks that forces one to use selinux
user identities with only "aZ" and "_"

The CIL selinux policy language leverages "name spaces" so would be nice if we
can use that.

Example:

unconfined_u would be unconfined.u

Do we need these sanity checks at all though? I would explect that libsemanage
takes care of this for us?

The mls checks also seem to assume that one has no more than 15 sensitivities.
There is no hard limit to 15 in practice.

Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1562606
6 years ago

Metadata Update from @rcritten:
- Issue assigned to rcritten
6 years ago

master:

  • 9d73e4a Allow dot as a valid character in an selinux identity name

ipa-4-6:

  • 810348f Allow dot as a valid character in an selinux identity name

Metadata Update from @cheimes:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=1562606
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.