Description of problem: https://github.com/freeipa/freeipa/blob/beb6d74b81eae9965ddc031db1a3826c01d59d30/ipaserver/plugins/selinuxusermap.py#L104 The above code seems to do some "sanity" checks that forces one to use selinux user identities with only "aZ" and "_" The CIL selinux policy language leverages "name spaces" so would be nice if we can use that. Example: unconfined_u would be unconfined.u Do we need these sanity checks at all though? I would explect that libsemanage takes care of this for us? The mls checks also seem to assume that one has no more than 15 sensitivities. There is no hard limit to 15 in practice.
If there is a python binding to libsemanage to do the validation that would definitely be preferable to the IPA checking. The checks are there to try to help guide the user (the syntax is not exactly obvious) and typos/errors may not be detected until the user actually tries to apply things on a system so determining source of a problem might not be obvious. At least that was the thinking at the time this was implemented.
Can you then at least allow periods in names in addition to underscores? If you allow periods then I believe at least I will be able to tell sss selinux child about my selinux users, and hopefully that then allows me to actually log in. These checks should ideally be re-done because the assumptions made limit functionality (ie. only _ in names, only 16 levels, only 1024 categories) Not to mention that even if it does not detect typos/errors, that does not mean that when the user tries to apply things that it will work. For example just because there are 15 levels and 1024 compartments, that does not have to mean that the user is authorized to associate with all of them. Your test would allow it but the sss selinux child transaction might still fail because the range does not fall into the permissible range.
I'm ok adding period to the regex. You point out the very real deficiencies in this, all related to the disconnect between setting the rules and what may actually exist on a remote system. I don't have an answer for that. I added the validation so the admin would have a fighting chance of at least having the syntax approaching correctness. It is the best we can do (assuming we actually enforce the syntax properly of course).
Understood and I suppose ideally there should be a set of functions provided by libsemanage to check these things before "commiting". Maybe they are there already, I am not familiar enough with the code to determine that. However if that functionality is not there then that is unsurprising since traditionally the only programmatic way to add selinux login entries was through semanage itself.
Regardless, a really water tight sanity check cannot be performed upfront I believe. One probably should not waste many cycles trying to do it. What is more important though is that consumers of this information (like sss) print informative information on the remote hosts as it fails to commit a login mapping when a user tries to log into a remote system that does not allow the specified mapping for the specified user/group@host.
Upstream ticket: https://pagure.io/freeipa/issue/7510
Fixed upstream master: https://pagure.io/freeipa/c/9d73e4a0f169acc3db6388ae8b8e2ecb1e1c62aa
Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/810348f520c7fee7fa3f2a3a833d0ed066b8a7f1
freeipa-4.6.90.pre2-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-93dfeefc68
freeipa-4.6.90.pre2-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-93dfeefc68
freeipa-4.6.90.pre2-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.