╤Є ├#xPc@s4ddklZlZddklZlZlZddkTddklZlZddk l Z edГZedГZdДZ d ДZd efdДГYZeieГdefd ДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZeieГdefdДГYZ eie Гde!fdДГYZ"eie"ГdefdДГYZ#eie#Гd e!fd!ДГYZ$eie$Гd"S(#i (tapiterrors(tStrtStrEnumtBool(t*(t_tngettext(tis_alls№ SELinux User Mapping Map IPA users to SELinux users by host. Hosts, hostgroups, users and groups can be either defined within the rule or it may point to an existing HBAC rule. When using --hbacrule option to selinuxusermap-find an exact match is made on the HBAC rule name, so only one or zero entries will be returned. EXAMPLES: Create a rule, "test1", that sets all users to xguest_u:s0 on the host "server": ipa selinuxusermap-add --usercat=all --selinuxuser=xguest_u:s0 test1 ipa selinuxusermap-add-host --hosts=server.example.com test1 Create a rule, "test2", that sets all users to guest_u:s0 and uses an existing HBAC rule for users and hosts: ipa selinuxusermap-add --usercat=all --hbacrule=webserver --selinuxuser=guest_u:s0 test2 Display the properties of a rule: ipa selinuxusermap-show test2 Create a rule for a specific user. This sets the SELinux context for user john to unconfined_u:s0-s0:c0.c1023 on any machine: ipa selinuxusermap-add --hostcat=all --selinuxuser=unconfined_u:s0-s0:c0.c1023 john_unconfined ipa selinuxusermap-add-user --users=john john_unconfined Disable a rule: ipa selinuxusermap-disable test1 Enable a rule: ipa selinuxusermap-enable test1 Find a rule referencing a specific HBAC rule: ipa selinuxusermap-find --hbacrule=allow_some Remove a rule: ipa selinuxusermap-del john_unconfined SEEALSO: The list controlling the order in which the SELinux user map is applied and the default SELinux user are available in the config-show command. s.HBAC rule and local members cannot both be setc CsчtidГ}tidГ}tidГ}|diddГ\}}}}|i|ГptdГS|p|i|ГotdГS|i|Г} |o?| p,| idГo't| idГГd jotd ГSdS(s╚ An SELinux user has 3 components: user:MLS:MCS. user and MLS are required. user traditionally ends with _u but this is not mandatory. The regex is ^[a-zA-Z][a-zA-Z_]* The MLS part can only be: Level: s[0-15](-s[0-15]) Then MCS could be c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123] Meaning s0 s0-s1 s0-s15:c0.c1023 s0-s1:c0,c2,c15.c26 s0-s0:c0.c1023 Returns a message on invalid, returns nothing on valid. s^[a-zA-Z][a-zA-Z_]*$s*^s[0-9][1-5]{0,1}(-s[0-9][1-5]{0,1}){0,1}$s^c(\d+)([.,-]c(\d+))*?$s:::t:is5Invalid SELinux user name, only a-Z and _ are alloweds/Invalid MLS value, must match s[0-15](-s[0-15])i sMInvalid MCS value, must match c[0-1023].c[0-1023] and/or c[0-1023]-c[0-c0123]N(tretcompiletsplittmatchRtgrouptinttNone( tugettexttusert regex_namet regex_mlst regex_mcstnametmlstmcstignoretm((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pytvalidate_selinuxuserJs";cCsЮ|iГd}|idgГ}t|ГdjotidtdГГВn|didГ}||jo)tidtdГtd|ГГВnd S( sМ Ensure the user is in the list of allowed SELinux users. Returns nothing if the user is found, raises an exception otherwise. itipaselinuxusermapordertreasons0SELinux user map list not found in configurationit$s<SELinux user %(user)s not found in ordering list (in config)RN(tget_ipa_configtgettlenRtNotFoundRRtdict(tldapRtconfigtitemtuserlist((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pytvalidate_selinuxuser_inlistms tselinuxusermapcBsJeZdZeiiZedГZedГZ ddgZ ddddd dd ddd dgZdZdZ hddgd 6ddgd6ZedГZedГZeddddedГdeГededddedГГeddddedГd ed!ГГed"dd#ded$Гd ed%Гd&d@Гed(dd)ded*Гd ed+Гd&dAГed,dd-ded.ГГed/ded0Гd1d2gГed3ded4Гd1d5d6d7gГed8ded9Гd1d5d6d7gГed:ded;Гd1d5d6d7gГed<ded=Гd1d5d6d7gГfZd>ДZd?ДZRS(Bs" SELinux User Map object. sSELinux User Map rulesSELinux User Map rulestipaassociationtipaselinuxusermaptcntipaenabledflagtdescriptiontusercategorythostcategoryt memberusert memberhosttmemberhostgrouptseealsotipaselinuxusertipauniqueidRRthostt hostgroupsSELinux User MapssSELinux User Maptcli_nameRtlabels Rule nametprimary_keytselinuxusersSELinux Usersseealso?thbacrules HBAC Ruletdocs7HBAC Rule that defines the users, groups and hostgroupss usercategory?tusercats User categorys!User category the rule applies totvaluesualls hostcategory?thostcats Host categorys!Host category the rule applies tosdescription?tdesctDescriptionsipaenabledflag?tEnabledtflagst no_optionsmemberuser_user?tUserst no_createt no_updatet no_searchsmemberuser_group?sUser Groupssmemberhost_host?tHostssmemberhost_hostgroup?sHost Groupsc Cs┘|pdSyt|Г}t|ГSWnмtj oаy[|ii|iidii ||iidi dg|iidiГ\}}|}Wq╒ti j o,ti dtdГtd|ГГВq╒XnX|S(sP Given a HBAC rule name verify its existence and return the dn. R=tRsHBAC rule %(rule)s not foundtruleN(RtDNtstrt ValueErrortbackendtfind_entry_by_attrRtObjectR;Rtobject_classtcontainer_dnRR"RR#(tselfR4tdntentry_attrs((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyt_normalize_seealso╨s" /cKsb|idtГodSd|jo9|i|dddgГ\}}|dd|dsc3sx|]}И|ГVqWdS(N((t.0tattr(tis_to_be_set(sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pys s R/R0R4R(susercategoryshostcategory( t isinstanceRNtAssertionErrorR(tanyRtMutuallyExclusiveErrortnotboth_errtobjRY( RVR$RWRXt attrs_listtkeysR]tare_local_members_to_be_settis_hbacrule_to_be_set((RXRusA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pytpre_callback√s cOs1t|tГptВ|ii|||Н|S(N(RvRNRwR{R`(RVR$RWRXR}R]((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyt post_callbacks(RaRbRRctmsg_summaryRАRБ(((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyRoЎs tselinuxusermap_delcBs eZedГZedГZRS(sDelete a SELinux User Map.s$Deleted SELinux User Map "%(value)s"(RaRbRRcRВ(((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyRГstselinuxusermap_modcBs2eZedГZedГZdДZdДZRS(sModify a SELinux User Map.s%Modified SELinux User Map "%(value)s"c sЖt|tГptВy|i||Г\}ЙWn&tij o|ii|МnXЗЗfdЖЙЗЗЗfdЖЙtЗfdЖd DГГ}ИdГ} |o| oti d t ГВntИdГo#dИjoti d d ГВntИdГo#dИjoti d dГВndИjot|ИdГndИjo|ii ИdГИd8s R/R0R1R2R4RsBuser category cannot be set to 'all' while there are allowed userssBhost category cannot be set to 'all' while there are allowed hostsR5(susercategoryshostcategorys memberusers memberhost(RvRNRwR\RR"R{thandle_not_foundRxRyRzRR(RY( RVR$RWRXR|R}R]t_dnR~R((RXRuRЕRЖsA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyRА(s0 cOs1t|tГptВ|ii|||Н|S(N(RvRNRwR{R`(RVR$RWRXR}R]((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyRБSs(RaRbRRcRВRАRБ(((sA/usr/lib/python2.6/site-packages/ipalib/plugins/selinuxusermap.pyRД#s +tselinuxusermap_findcBs8eZedГZedddГZdДZdДZRS(sSearch for SELinux User Maps.s"%(count)d SELinux User Map matcheds#%(count)d SELinux User Maps matchedicOsЫ|idГor|d}y+tid|dtГd}|d}Wn,tij otdddgdtГSX||dsB + # r " 5