[Freeipa-devel] [PATCHES 0031-0032] Improve HBAC rule handling in selinuxusermap-add/mod/find

Rob Crittenden rcritten at redhat.com
Tue Feb 19 21:33:59 UTC 2013 

Tomas Babej wrote:
> On 02/06/2013 07:57 PM, Rob Crittenden wrote:
>> Tomas Babej wrote:
>>> Hi,
>>>
>>> this pair of patches improves HBAC rule handling in selinuxusermap
>>> commands.
>>>
>>> Patch 0031 deals with:
>>> https://fedorahosted.org/freeipa/ticket/3349
>>>
>>> Patch 0032 takes care of:
>>> https://fedorahosted.org/freeipa/ticket/3348
>>>
>>> and is to be applied on top of Patch 0031.
>>>
>>> See commit messages for detailed info.
>>>
>>> Tomas
>>>
>>
>> ACK for patch 0032.
>>
>> For patch 0031 we can't change the data type of an existing attribute.
>> It will break backwards compatibility. Can you test with an older
>> client to see if it cares (it may not care about the name of the
>> type). If older clients will work then this is probably ok.
>>
>> I gather that seealso detected as a DN attribute and converted into a
>> DN class and this is blowing up the Str validator?
>>
> Yes, that was exactly the case.
>> rob
>
> I added a workaround for older client versions, tested it with
> freeipa-client/admintools 2.2, works as expeceted.
> However, this only should be issue if there is older admintools package
> on the client than on the server.
>
> Outline is such as follows: I added a new flag for DNParam seelalso
> attribute, called 'allow_malformed' that allows any string to be passed
> to DNParam. Its value gets wrapped in 'malformed=yes,value=<value>'.
> This allows to parse out the string in selinuxusermap-add/mod
> pre_callback out of the DN and search for the rule with such name so
> that it's DN gets in LDAP instead.
>
> Updated patch attached.
>
> Tomas

I like where you're going with this, just a couple of comments:

1. Should we come up with a more universal name for allow_malformed? Is 
this something that we should allow at a higher level? I was thinking 
allow_raw, or allow_non_dn, or something like that.

2. I think that if a bad dn is passed in as a Str the conversion into a 
DN won't be handled:

+            if 'allow_malformed' in self.flags:
+                dn = DN(('malformed','yes'),('value',value))

Should this be wrapped in a try/except to raise a ConversionError if it 
fails?

rob

More information about the Freeipa-devel mailing list