[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
Martin Kosek
mkosek at redhat.com
Mon Jan 23 16:36:49 UTC 2012
On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
> When deleting an HBAC rule we need to ensure that an SELinux user map
> isn't pointing at it. The search for this didn't work well at all.
>
> This patch corrects the search and makes it more specific.
>
> I also tested that it works with the --continue flag of hbacrule-del.
>
> The ticket has instructions on testing.
>
> rob
Works fine. There is just one part that is IMO too complicated:
+ hbacrule = options['seealso']
+ kw = dict(cn=hbacrule, all=True)
_entries = api.Command.hbacrule_find(None, **kw)['result']
del options['seealso']
- if _entries:
- options['seealso'] = _entries[0]['dn']
+ found = False
+ # look for an exact match. The search may return partial
+ # matches.
+ for entry in _entries:
+ if entry['cn'][0] == hbacrule:
+ found = True
+ options['seealso'] = entry['dn']
+ if not found:
+ return dict(count=0, result=[], truncated=False)
I think hbacrule_find(None, cn=HBACRULE) should not return partial
matches, but just the exact match (tried with hbacrule-find
--name=HBACRULE). Then the loop over entries wouldn't be needed.
Couldn't we simply call hbacrule_show since we want just one HBAC rule
with a known primary key?
Martin
More information about the Freeipa-devel
mailing list