[Freeipa-devel] [PATCH] 927 fix deleting hbac rules when selinux user maps are involved
Rob Crittenden
rcritten at redhat.com
Tue Jan 24 15:08:33 UTC 2012
Martin Kosek wrote:
> On Mon, 2012-01-23 at 12:20 -0500, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
>>>> When deleting an HBAC rule we need to ensure that an SELinux user map
>>>> isn't pointing at it. The search for this didn't work well at all.
>>>>
>>>> This patch corrects the search and makes it more specific.
>>>>
>>>> I also tested that it works with the --continue flag of hbacrule-del.
>>>>
>>>> The ticket has instructions on testing.
>>>>
>>>> rob
>>>
>>> Works fine. There is just one part that is IMO too complicated:
>>>
>>> + hbacrule = options['seealso']
>>> + kw = dict(cn=hbacrule, all=True)
>>> _entries = api.Command.hbacrule_find(None, **kw)['result']
>>> del options['seealso']
>>> - if _entries:
>>> - options['seealso'] = _entries[0]['dn']
>>> + found = False
>>> + # look for an exact match. The search may return partial
>>> + # matches.
>>> + for entry in _entries:
>>> + if entry['cn'][0] == hbacrule:
>>> + found = True
>>> + options['seealso'] = entry['dn']
>>> + if not found:
>>> + return dict(count=0, result=[], truncated=False)
>>>
>>> I think hbacrule_find(None, cn=HBACRULE) should not return partial
>>> matches, but just the exact match (tried with hbacrule-find
>>> --name=HBACRULE). Then the loop over entries wouldn't be needed.
>>>
>>> Couldn't we simply call hbacrule_show since we want just one HBAC rule
>>> with a known primary key?
>>>
>>> Martin
>>>
>>
>> hbacrule_show would need to be modified to take a dn, that would be a
>> way to fix this.
>>
>> rob
>
> Not sure I see the problem with hbacrule_show. I tested this piece of
> code and it worked fine:
>
> selinuxusermap_find:
> ...
> if 'seealso' in options:
> hbacrule = options['seealso']
>
> try:
> hbac = api.Command['hbacrule_show'](hbacrule,
> all=True)['result']
> dn = hbac['dn']
> except errors.NotFound:
> return dict(count=0, result=[], truncated=False)
> options['seealso'] = dn
> ...
>
> Martin
>
Ok, I misunderstood your point. Yes, this is vastly better. Updated
patch attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-927-1-selinux.patch
Type: text/x-diff
Size: 5765 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120124/9f4f5fc8/attachment.bin>
More information about the Freeipa-devel
mailing list