[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
Rob Crittenden
rcritten at redhat.com
Mon Jan 23 17:20:58 UTC 2012
Martin Kosek wrote:
> On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
>> When deleting an HBAC rule we need to ensure that an SELinux user map
>> isn't pointing at it. The search for this didn't work well at all.
>>
>> This patch corrects the search and makes it more specific.
>>
>> I also tested that it works with the --continue flag of hbacrule-del.
>>
>> The ticket has instructions on testing.
>>
>> rob
>
> Works fine. There is just one part that is IMO too complicated:
>
> + hbacrule = options['seealso']
> + kw = dict(cn=hbacrule, all=True)
> _entries = api.Command.hbacrule_find(None, **kw)['result']
> del options['seealso']
> - if _entries:
> - options['seealso'] = _entries[0]['dn']
> + found = False
> + # look for an exact match. The search may return partial
> + # matches.
> + for entry in _entries:
> + if entry['cn'][0] == hbacrule:
> + found = True
> + options['seealso'] = entry['dn']
> + if not found:
> + return dict(count=0, result=[], truncated=False)
>
> I think hbacrule_find(None, cn=HBACRULE) should not return partial
> matches, but just the exact match (tried with hbacrule-find
> --name=HBACRULE). Then the loop over entries wouldn't be needed.
>
> Couldn't we simply call hbacrule_show since we want just one HBAC rule
> with a known primary key?
>
> Martin
>
hbacrule_show would need to be modified to take a dn, that would be a
way to fix this.
rob
More information about the Freeipa-devel
mailing list