Dne pátek 20 července 2012 14:32:10, Jakub Hrozek napsal(a):
On Fri, Jul 20, 2012 at 01:55:59PM +0200, Jan Zelený wrote:
> #156
> Added some debug messages
This debug message is wrong:
+ DEBUG(SSSDBG_TRACE_FUNC, ("HBAC rule [%s] matched, moving "
+ "SELinux user map [%s] to
confirmed\n", + hbac_dn,
seealso_dn));
There is no "confirmed" list anymore. The rest of the patch looks good.
You are right. Fixed
> #157
> The original priority patch had this condition in the wrong place,
> resulting in hostCategory == all not being taken into account
This code assigns SELINUX_PRIORITY_HOST_CAT to any rule that contains
anything in the "hostcat" attribute. It needs to specifically check for
strcasecmp(hostcat, "all") and error out saying that the category is not
supported on any other input. The same applies to user categories.
Similar to hbac_get_category() for how the input validity check is performed
for the HBAC rules.
On the contrary, the check is there. At least I can see the strcasecmp in my
vim ;-)
> #158
> The function ipa_selinux_map_merge() is no longer necessary since more
> generic function has been implemented and it is even used in the code
Ack
> #159
> This patch provides the fix for HBAC - SELinux linking itself. I'm not
> sure
> about defining those two constants on top. If anyone has better idea where
> to put them in order to consolidate them with the same constants private
> for HBAC code, I'm open to suggestions.
They are already stored in ipa_selinux_user_map[], see ipa_opts.h
Yes they are but I don't think it's wise to extract the name from selinux user
map and apply it to HBAC rule. It will work, sure. But IMO it would be even
more confusing and potentially dangerous than defining the constant this way.
Sending corrected patch #156
Thanks
Jan