#3119 Improve SELinux user validators
Closed: wontfix 5 years ago Opened 11 years ago by mkosek.

During review of a patch for ticket #2993 pviktori found several possible improvements for our SELinux user validators:

$ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?'
[...]
  SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here?
  Default SELinux user: unconfined_u:s0-s0:c0.c1023
  PAC type: MS-PAC

Obviously extra info should not be allowed.
Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second?
AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4" should not be allowed. Chains like "c1.c2.c3" also don't look right.

... Also, the MLS/MCS numeric limits are not enforced correctly: "xguest_u:s92:c999999999,c0" passes.

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: Ticket Backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata