I run the IPA selinuxusermap plugin tests on ALTLinux via
selinuxusermap
ipa-run-tests -vs test_xmlrpc/test_selinuxusermap_plugin.py
1) There are many fails:
"test_selinuxusermap_plugin.py::test_selinuxusermap::test_command[0003: selinuxusermap_add: Create rule 'selinuxrule1']": true, "test_selinuxusermap_plugin.py::test_selinuxusermap::test_command[0004: selinuxusermap_add: Try to create duplicate 'selinuxrule1']": true, "test_selinuxusermap_plugin.py::test_selinuxusermap::test_command[0005: selinuxusermap_show: Retrieve rule 'selinuxrule1']": true, ... "test_selinuxusermap_plugin.py::test_selinuxusermap::test_command[0059: selinuxusermap_del: Delete 'selinuxrule1']": true
<testcase classname="ipa.test_selinuxusermap_plugin.test_selinuxusermap" file="../../usr/lib64/python3/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py" line="329" name="test_command[0003: selinuxusermap_add: Create rule 'selinuxrule1']" time="0.053"> <failure message="ipalib.errors.NotFound: SELinux user guest_u:s0 not found in ordering list (in config)"> self = <ipatests.test_xmlrpc.test_selinuxusermap_plugin.test_selinuxusermap object at 0x7fa6e56c3f28> index = 3 declarative_test_definition = {'command': ('selinuxusermap_add', ['selinuxrule1'], {'ipaselinuxuser': 'guest_u:s0', 'version': '2.230'}), 'desc': "C...nux User Map "selinuxrule1"', 'value': 'selinuxrule1'}, 'nice': "0003: selinuxusermap_add: Create rule 'selinuxrule1'"} def test_command(self, index, declarative_test_definition): """Run an individual test The arguments are provided by the pytest plugin. """ if callable(declarative_test_definition): declarative_test_definition(self) else: > self.check(**declarative_test_definition) /usr/lib64/python3/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:338: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/lib64/python3/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:350: in check self.check_output(nice, cmd, args, options, expected, extra_check) /usr/lib64/python3/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:398: in check_output got = api.Command[cmd](*args, **options) /usr/lib64/python3/site-packages/ipalib/frontend.py:450: in __call__ return self.__do_call(*args, **options) /usr/lib64/python3/site-packages/ipalib/frontend.py:478: in __do_call ret = self.run(*args, **options) /usr/lib64/python3/site-packages/ipalib/frontend.py:801: in run return self.forward(*args, **options) /usr/lib64/python3/site-packages/ipalib/frontend.py:824: in forward *args, **kw) /usr/lib64/python3/site-packages/ipalib/rpc.py:1151: in forward return self._call_command(command, params) /usr/lib64/python3/site-packages/ipalib/rpc.py:1127: in _call_command return command(*params) /usr/lib64/python3/site-packages/ipalib/rpc.py:1281: in _call return self.__request(name, args) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipalib.rpc.JSONServerProxy object at 0x7fa6e86db7b8> name = 'selinuxusermap_add/1' args = (('selinuxrule1',), {'ipaselinuxuser': 'guest_u:s0', 'version': '2.230'}) def __request(self, name, args): print_json = self.__verbose >= 2 payload = {'method': unicode(name), 'params': args, 'id': 0} version = args[1].get('version', VERSION_WITHOUT_CAPABILITIES) payload = json_encode_binary( payload, version, pretty_print=print_json) if print_json: logger.info( 'Request: %s', payload ) response = self.__transport.request( self.__host, self.__handler, payload.encode('utf-8'), verbose=self.__verbose >= 3, ) if print_json: logger.info( 'Response: %s', json.dumps(json.loads(response), sort_keys=True, indent=4) ) try: response = json_decode_binary(response) except ValueError as e: raise JSONError(error=str(e)) error = response.get('error') if error: try: error_class = errors_by_code[error['code']] except KeyError: raise UnknownError( code=error.get('code'), error=error.get('message'), server=self.__host, ) else: kw = error.get('data', {}) kw['message'] = error['message'] > raise error_class(**kw) E ipalib.errors.NotFound: SELinux user guest_u:s0 not found in ordering list (in config) /usr/lib64/python3/site-packages/ipalib/rpc.py:1275: NotFound </failure> </testcase>
The error message is ipalib.errors.NotFound: SELinux user guest_u:s0 not found in ordering list (in config).
ipalib.errors.NotFound: SELinux user guest_u:s0 not found in ordering list (in config)
ALTLinux SELinux settings/defaults are 'slightly' differ from the IPA ones. For example:
# semanage user -l Labeling MLS/ MLS/ SELinux User Prefix MCS Level MCS Range SELinux Roles generic_u user s0 s0-s3:c0.c15 generic_r generic_u1 user s1 s1-s3:c0.c15 generic_r generic_u2 user s2 s2-s3:c0.c15 generic_r generic_u3 user s3 s3-s3:c0.c15 generic_r officer_u user s0 s0-s3:c0.c15 generic_r officer_r # seinfo --category | grep Categ Categories: 16 # seinfo --sensitivity | grep Sens Sensitivities: 4
My proposal is to move basic SELinux settings out to ipaplatform.constants:
ipaplatform.constants
2) It was figured out that install/updates/50-ipaconfig.update contains a wrong value to be replaced on:
install/updates/50-ipaconfig.update
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
while should be
( without second ipaSELinuxUserMapOrder: , because a right syntax is old::new)
ipaSELinuxUserMapOrder:
old::new
The history of changes for this update file:
release-4-7-0 diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -2,1 +2,1 @@ -add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 +replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 release-3-1-0 diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -2,1 +2,1 @@ -add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 +add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 beta_1-3-0-0 diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -2,2 +2,1 @@ -default:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 -default:ipaSELinuxUserMapDefault: guest_u:s0 +add:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 beta_1-3-0-0 diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update --- /dev/null +++ b/install/updates/50-ipaconfig.update @@ -0,0 +2,2 @@ +default:ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 +default:ipaSELinuxUserMapDefault: guest_u:s0
So, those who will perform upgrade (<3.1.0) => 4.7.0+ will see in IPA config: ipaSELinuxUserMapOrder: 'ipaSELinuxUserMapOrder: guest_u$$...'
master:
replace
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
test_webui.test_selinuxusermap
ipa-4-8:
Login to comment on this ticket.