URL: https://github.com/freeipa/freeipa/pull/3393 Author: abbra Title: #3393: [Backport][ipa-4-8] Fix `test_webui.test_selinuxusermap` Action: opened
PR body: """ This PR was opened automatically because PR #3372 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/3393/head:pr3393 git checkout pr3393
From 0e380c3d1d7004df11b98259e2ce860f49607226 Mon Sep 17 00:00:00 2001 From: Stanislav Levin <s...@altlinux.org> Date: Fri, 5 Jul 2019 14:39:17 +0300 Subject: [PATCH] Fix `test_webui.test_selinuxusermap` A previous refactoring of SELinux tests has have a wrong assumption about the user field separator within ipaSELinuxUserMapOrder. That was '$$', but should be just '$'. Actually, '.ldif' and '.update' files are passed through Python template string substitution: > $$ is an escape; it is replaced with a single $. > $identifier names a substitution placeholder matching > a mapping key of "identifier" This means that the text to be substituted on should not be escaped. The wrong ipaSELinuxUserMapOrder previously set will be replaced on upgrade. Fixes: https://pagure.io/freeipa/issue/7996 Fixes: https://pagure.io/freeipa/issue/8005 Signed-off-by: Stanislav Levin <s...@altlinux.org> --- install/updates/50-ipaconfig.update | 1 + ipaplatform/base/constants.py | 10 +++++----- ipaserver/install/ldapupdate.py | 3 +++ ipatests/test_integration/test_winsyncmigrate.py | 2 +- ipatests/test_webui/data_selinuxusermap.py | 4 ++-- ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 4 ++-- 6 files changed, 14 insertions(+), 10 deletions(-) diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update index 2e1c5c3571..35e154b4e7 100644 --- a/install/updates/50-ipaconfig.update +++ b/install/updates/50-ipaconfig.update @@ -1,4 +1,5 @@ dn: cn=ipaConfig,cn=etc,$SUFFIX +replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023 add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index cdb72e74a8..eac60cac38 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -62,11 +62,11 @@ class BaseConstantsNamespace: SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023" SELINUX_USERMAP_ORDER = ( "guest_u:s0" - "$$xguest_u:s0" - "$$user_u:s0" - "$$staff_u:s0-s0:c0.c1023" - "$$sysadm_u:s0-s0:c0.c1023" - "$$unconfined_u:s0-s0:c0.c1023" + "$xguest_u:s0" + "$user_u:s0" + "$staff_u:s0-s0:c0.c1023" + "$sysadm_u:s0-s0:c0.c1023" + "$unconfined_u:s0-s0:c0.c1023" ) SSSD_USER = "sssd" # WSGI module override, only used on Fedora diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index d9e47dcc0d..0cdea6a822 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -322,6 +322,9 @@ def __init__(self, dm_password=None, sub_dict={}, if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"): self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \ platformconstants.SELINUX_USERMAP_DEFAULT + if not self.sub_dict.get("SELINUX_USERMAP_ORDER"): + self.sub_dict["SELINUX_USERMAP_ORDER"] = \ + platformconstants.SELINUX_USERMAP_ORDER self.api = create_api(mode=None) self.api.bootstrap(in_server=True, context='updates', diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py index 593fc2065a..be9f440728 100644 --- a/ipatests/test_integration/test_winsyncmigrate.py +++ b/ipatests/test_integration/test_winsyncmigrate.py @@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest): ipa_group = 'ipa_group' ad_user = 'testuser' default_shell = platformconstants.DEFAULT_SHELL - selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0] + selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0] test_role = 'test_role' test_hbac_rule = 'test_hbac_rule' test_selinux_map = 'test_selinux_map' diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py index ca7b1dcdd1..312e7592f0 100644 --- a/ipatests/test_webui/data_selinuxusermap.py +++ b/ipatests/test_webui/data_selinuxusermap.py @@ -5,8 +5,8 @@ from ipaplatform.constants import constants as platformconstants # for example, user_u:s0 -selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0] -selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1] +selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0] +selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1] selinux_mcs_max = platformconstants.SELINUX_MCS_MAX selinux_mls_max = platformconstants.SELINUX_MLS_MAX diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py index 0b73992aa0..e5b23bd4d2 100644 --- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py +++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py @@ -32,8 +32,8 @@ import pytest rule1 = u'selinuxrule1' -selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0] -selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1] +selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0] +selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1] INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format( platformconstants.SELINUX_MCS_REGEX,
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
