On Fri, Jul 20, 2012 at 01:55:59PM +0200, Jan Zelený wrote:
#156 Added some debug messages
This debug message is wrong:
+ DEBUG(SSSDBG_TRACE_FUNC, ("HBAC rule [%s] matched, moving " + "SELinux user map [%s] to confirmed\n", + hbac_dn, seealso_dn));
There is no "confirmed" list anymore. The rest of the patch looks good.
#157 The original priority patch had this condition in the wrong place, resulting in hostCategory == all not being taken into account
This code assigns SELINUX_PRIORITY_HOST_CAT to any rule that contains anything in the "hostcat" attribute. It needs to specifically check for strcasecmp(hostcat, "all") and error out saying that the category is not supported on any other input. The same applies to user categories.
Similar to hbac_get_category() for how the input validity check is performed for the HBAC rules.
#158 The function ipa_selinux_map_merge() is no longer necessary since more generic function has been implemented and it is even used in the code
Ack
#159 This patch provides the fix for HBAC - SELinux linking itself. I'm not sure about defining those two constants on top. If anyone has better idea where to put them in order to consolidate them with the same constants private for HBAC code, I'm open to suggestions.
They are already stored in ipa_selinux_user_map[], see ipa_opts.h