[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved

Martin Kosek mkosek at redhat.com
Tue Jan 24 07:58:27 UTC 2012 

On Mon, 2012-01-23 at 12:20 -0500, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
> >> When deleting an HBAC rule we need to ensure that an SELinux user map
> >> isn't pointing at it. The search for this didn't work well at all.
> >>
> >> This patch corrects the search and makes it more specific.
> >>
> >> I also tested that it works with the --continue flag of hbacrule-del.
> >>
> >> The ticket has instructions on testing.
> >>
> >> rob
> >
> > Works fine. There is just one part that is IMO too complicated:
> >
> > +            hbacrule = options['seealso']
> > +            kw = dict(cn=hbacrule, all=True)
> >               _entries = api.Command.hbacrule_find(None, **kw)['result']
> >               del options['seealso']
> > -            if _entries:
> > -                options['seealso'] = _entries[0]['dn']
> > +            found = False
> > +            # look for an exact match. The search may return partial
> > +            # matches.
> > +            for entry in _entries:
> > +                if entry['cn'][0] == hbacrule:
> > +                    found = True
> > +                    options['seealso'] = entry['dn']
> > +            if not found:
> > +                return dict(count=0, result=[], truncated=False)
> >
> > I think hbacrule_find(None, cn=HBACRULE) should not return partial
> > matches, but just the exact match (tried with hbacrule-find
> > --name=HBACRULE). Then the loop over entries wouldn't be needed.
> >
> > Couldn't we simply call hbacrule_show since we want just one HBAC rule
> > with a known primary key?
> >
> > Martin
> >
> 
> hbacrule_show would need to be modified to take a dn, that would be a 
> way to fix this.
> 
> rob

Not sure I see the problem with hbacrule_show. I tested this piece of
code and it worked fine:

selinuxusermap_find:
...
        if 'seealso' in options:
            hbacrule = options['seealso']

            try:
                hbac = api.Command['hbacrule_show'](hbacrule,
all=True)['result']
                dn = hbac['dn']
            except errors.NotFound:
                return dict(count=0, result=[], truncated=False)
            options['seealso'] = dn
...

Martin

More information about the Freeipa-devel mailing list