[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved

Rob Crittenden rcritten at redhat.com
Wed Jan 25 19:18:05 UTC 2012 

Martin Kosek wrote:
> On Tue, 2012-01-24 at 10:08 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Mon, 2012-01-23 at 12:20 -0500, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>>>> On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
>>>>>> When deleting an HBAC rule we need to ensure that an SELinux user map
>>>>>> isn't pointing at it. The search for this didn't work well at all.
>>>>>>
>>>>>> This patch corrects the search and makes it more specific.
>>>>>>
>>>>>> I also tested that it works with the --continue flag of hbacrule-del.
>>>>>>
>>>>>> The ticket has instructions on testing.
>>>>>>
>>>>>> rob
>>>>>
>>>>> Works fine. There is just one part that is IMO too complicated:
>>>>>
>>>>> +            hbacrule = options['seealso']
>>>>> +            kw = dict(cn=hbacrule, all=True)
>>>>>                 _entries = api.Command.hbacrule_find(None, **kw)['result']
>>>>>                 del options['seealso']
>>>>> -            if _entries:
>>>>> -                options['seealso'] = _entries[0]['dn']
>>>>> +            found = False
>>>>> +            # look for an exact match. The search may return partial
>>>>> +            # matches.
>>>>> +            for entry in _entries:
>>>>> +                if entry['cn'][0] == hbacrule:
>>>>> +                    found = True
>>>>> +                    options['seealso'] = entry['dn']
>>>>> +            if not found:
>>>>> +                return dict(count=0, result=[], truncated=False)
>>>>>
>>>>> I think hbacrule_find(None, cn=HBACRULE) should not return partial
>>>>> matches, but just the exact match (tried with hbacrule-find
>>>>> --name=HBACRULE). Then the loop over entries wouldn't be needed.
>>>>>
>>>>> Couldn't we simply call hbacrule_show since we want just one HBAC rule
>>>>> with a known primary key?
>>>>>
>>>>> Martin
>>>>>
>>>>
>>>> hbacrule_show would need to be modified to take a dn, that would be a
>>>> way to fix this.
>>>>
>>>> rob
>>>
>>> Not sure I see the problem with hbacrule_show. I tested this piece of
>>> code and it worked fine:
>>>
>>> selinuxusermap_find:
>>> ...
>>>           if 'seealso' in options:
>>>               hbacrule = options['seealso']
>>>
>>>               try:
>>>                   hbac = api.Command['hbacrule_show'](hbacrule,
>>> all=True)['result']
>>>                   dn = hbac['dn']
>>>               except errors.NotFound:
>>>                   return dict(count=0, result=[], truncated=False)
>>>               options['seealso'] = dn
>>> ...
>>>
>>> Martin
>>>
>>
>> Ok, I misunderstood your point. Yes, this is vastly better. Updated
>> patch attached.
>>
>> rob
>
> ACK if you change
>
> if 'seealso' in options:
>
> to:
>
> if options.get('seealso'):
>
> so that the following case is fixed:
>
> # ipa selinuxusermap-find --hbacrule=
> ipa: ERROR: 'cn' is required
>
> Martin
>

Fixed, pushed to master and ipa-2-2

rob

More information about the Freeipa-devel mailing list