Dne pondělí 23 července 2012 15:59:01, Jakub Hrozek napsal(a):
On Mon, Jul 23, 2012 at 09:08:52AM +0200, Jan Zelený wrote:
Dne pondělí 23 července 2012 08:16:30, Jan Zelený napsal(a):
Dne pátek 20 července 2012 21:19:08, Jakub Hrozek napsal(a):
On Fri, Jul 20, 2012 at 05:51:29PM +0200, Jan Zelený wrote:
Dne pátek 20 července 2012 17:46:33, Jakub Hrozek napsal(a):
On Fri, Jul 20, 2012 at 05:27:44PM +0200, Jan Zelený wrote: > > Oh right, it's and HBAC attribute.. > > > > Can't you just include ipa_hbac_private.h, then? > > I didn't exactly like that solution either so I moved those two > constants > to ipa_hbac.h which is supposed to be a public HBAC interface. > The > "right > solution" would be to construct a map for HBAC rules, I know we > discussed > this with Stephen several months back but we never really got to > do > that.
ipa_hbac.h is a public header of libipa_hbac, included in libipa_hbac-devel. The attribute names don't have to be in the public interface, I think that including the ipa_hbac_private.h header is just fine.
Well, it's probably the best of bad options. Patches attached.
Jan
Nack, these patches still don't work. Here is my setup:
# ipa selinuxusermap-find
2 SELinux User Maps matched
Rule name: test_all_user_all_hosts SELinux User: xguest_u:s0 User category: all Host category: all Enabled: TRUE
Rule name: test_user_all_hosts SELinux User: user_u:s0-s0:c0.c1023 Host category: all Enabled: TRUE Users: tuser1
I'm logging in as tuser1, so I was expecting to get "user_u:s0-s0:c0.c1023", however neither of the maps match and I'm left with the default.
Could you please provide some more information like log files and cache? I have re-tested everything on my setup and it performs as expected.
Thanks Jan
Never mind. I tried to play with my setup a bit and I eventually found the issue myself. It was rather stupid copy-paste error, sorry for the inconvenience.
Sending corrected patch set.
Jan
The first two patches work fine now, ack. I'll also push them to master so that Rob has something to test.
Specificity of SELinux user mappings linked with HBAC rules still doesn't work, though. Because most probably we'll be doing a relase today, I've filed a new ticket so we can track this issue on its own:
This is actually a different issue which depends on the order in which you receive records from LDAP server. That's why I didn't notice it in the first place.
I am attaching patch #160 which is fixing the issue.
Thanks Jan