During review of a patch for ticket #2993 pviktori found several possible improvements for our SELinux user validators:
$ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c4,c4:→Why is stuff allowed here?' [...] SELinux user map order: unconfined_u:s0-s0:c0.c1023$xguest_u:s5-s1:c0-c4.c3.c8,c4:→Why is stuff allowed here? Default SELinux user: unconfined_u:s0-s0:c0.c1023 PAC type: MS-PAC Obviously extra info should not be allowed. Is "s5-s1" or "c4.c3" valid? Can the first value be higher than the second? AFAIK (I'm not an expert though), MCS doesn't allow dashes, so "c0-c4" should not be allowed. Chains like "c1.c2.c3" also don't look right. ... Also, the MLS/MCS numeric limits are not enforced correctly: "xguest_u:s92:c999999999,c0" passes.
Metadata Update from @mkosek: - Issue assigned to pviktori - Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.