|
|
b01884 |
From b3f06994b7b44a0f9cd0c6bd0302c9db87dc2502 Mon Sep 17 00:00:00 2001
|
|
|
b01884 |
From: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
Date: Tue, 15 Jan 2019 17:33:56 +0100
|
|
|
b01884 |
Subject: [PATCH] Fix systemd-user HBAC rule
|
|
|
b01884 |
|
|
|
b01884 |
2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that
|
|
|
b01884 |
encoded the service wrongly.
|
|
|
b01884 |
|
|
|
b01884 |
See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928
|
|
|
b01884 |
Fixes: https://pagure.io/freeipa/issue/7831
|
|
|
b01884 |
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
b01884 |
---
|
|
|
b01884 |
install/share/default-hbac.ldif | 2 +-
|
|
|
b01884 |
ipatests/test_integration/test_commands.py | 12 +++++++++---
|
|
|
b01884 |
2 files changed, 10 insertions(+), 4 deletions(-)
|
|
|
b01884 |
|
|
|
b01884 |
diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
|
|
|
b01884 |
index 8dd90685c..c89bd3eef 100644
|
|
|
b01884 |
--- a/install/share/default-hbac.ldif
|
|
|
b01884 |
+++ b/install/share/default-hbac.ldif
|
|
|
b01884 |
@@ -21,7 +21,7 @@ cn: allow_systemd-user
|
|
|
b01884 |
accessruletype: allow
|
|
|
b01884 |
usercategory: all
|
|
|
b01884 |
hostcategory: all
|
|
|
b01884 |
-servicecategory: systemd-user
|
|
|
b01884 |
+memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX
|
|
|
b01884 |
ipaenabledflag: TRUE
|
|
|
b01884 |
description: Allow pam_systemd to run user@.service to create a system user session
|
|
|
b01884 |
ipauniqueid: autogenerate
|
|
|
b01884 |
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
index 1fb6450a2..8b2c84fc6 100644
|
|
|
b01884 |
--- a/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
+++ b/ipatests/test_integration/test_commands.py
|
|
|
b01884 |
@@ -500,12 +500,18 @@ class TestIPACommand(IntegrationTest):
|
|
|
b01884 |
# https://pagure.io/freeipa/issue/7831
|
|
|
b01884 |
tasks.kinit_admin(self.master)
|
|
|
b01884 |
# check for presence
|
|
|
b01884 |
- self.master.run_command(
|
|
|
b01884 |
- ['ipa', 'hbacrule-show', 'allow_systemd-user']
|
|
|
b01884 |
- )
|
|
|
b01884 |
self.master.run_command(
|
|
|
b01884 |
['ipa', 'hbacsvc-show', 'systemd-user']
|
|
|
b01884 |
)
|
|
|
b01884 |
+ result = self.master.run_command(
|
|
|
b01884 |
+ ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all']
|
|
|
b01884 |
+ )
|
|
|
b01884 |
+ lines = set(l.strip() for l in result.stdout_text.split('\n'))
|
|
|
b01884 |
+ assert 'User category: all' in lines
|
|
|
b01884 |
+ assert 'Host category: all' in lines
|
|
|
b01884 |
+ assert 'Enabled: TRUE' in lines
|
|
|
b01884 |
+ assert 'Services: systemd-user' in lines
|
|
|
b01884 |
+ assert 'accessruletype: allow' in lines
|
|
|
b01884 |
|
|
|
b01884 |
# delete both
|
|
|
b01884 |
self.master.run_command(
|
|
|
b01884 |
--
|
|
|
b01884 |
2.20.1
|
|
|
b01884 |
|