Re: [Freeipa-devel] [PATCH] 1049 validate MLS value

[Martin Kosek]

On 08/28/2012 11:16 PM, Rob Crittenden wrote:
 Validate that the MLS value in a SELinux user map user is in the range 
 c0..c1023.
 
 Existing tests validate correct values, empty values, I'm just adding a high
 value test.
 
 rob
 

ACK. Pushed to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 1049 validate MLS value

[Rob Crittenden]

Validate that the MLS value in a SELinux user map user is in the range 
c0..c1023.


Existing tests validate correct values, empty values, I'm just adding a 
high value test.


rob
From 94cbfc3aeaed521319a9da371a44f3873a46657a Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Tue, 28 Aug 2012 17:14:28 -0400
Subject: [PATCH] Restrict the SELinux user map user MLS value to 0-1023

https://fedorahosted.org/freeipa/ticket/3001
---
 ipalib/plugins/selinuxusermap.py|  3 ++-
 tests/test_xmlrpc/test_selinuxusermap_plugin.py | 11 +++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index e4cebc1e41bc315e285899e4279bcac26143ab2e..d793987aaa17c38fa5d6d83cb56038a7a5ebcd23 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -97,7 +97,8 @@ def validate_selinuxuser(ugettext, user):
 return _('Invalid SELinux user name, only a-Z and _ are allowed')
 if not mls or not regex_mls.match(mls):
 return _('Invalid MLS value, must match s[0-15](-s[0-15])')
-if mcs and not regex_mcs.match(mcs):
+m = regex_mcs.match(mcs)
+if mcs and (not m or (m.group(3) and (int(m.group(3))  1023))):
 return _('Invalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]')
 
 return None
diff --git a/tests/test_xmlrpc/test_selinuxusermap_plugin.py b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
index 83260e8ab982da59343d84eba63c21e135ce61d4..aa2d0cac92f0944653be87be5df1fbe96470b3bc 100644
--- a/tests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/tests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -645,6 +645,17 @@ class test_selinuxusermap(Declarative):
 
 
 dict(
+desc='Create rule with invalid MLS xguest_u:s0:c0.c1028',
+command=(
+'selinuxusermap_add', [rule1], dict(ipaselinuxuser=u'xguest_u:s0-s0:c0.c1028')
+),
+expected=errors.ValidationError(name='selinuxuser',
+error=u'Invalid MCS value, must match c[0-1023].c[0-1023] ' +
+u'and/or c[0-1023]-c[0-c0123]'),
+),
+
+
+dict(
 desc='Create rule with invalid user via setattr',
 command=(
 'selinuxusermap_mod', [rule1], dict(setattr=u'ipaselinuxuser=deny')
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel