From 456abbc0f91a8575564f54d9ba330a6acfe49d8c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Jan 16 2019 08:56:56 +0000 Subject: Fix systemd-user HBAC rule 2ef6e14c5a87724a3b37dd5f0817af48c4411e03 added an invalid HBAC rule that encoded the service wrongly. See: https://bugzilla.redhat.com/show_bug.cgi?id=1643928 Fixes: https://pagure.io/freeipa/issue/7831 Signed-off-by: Christian Heimes Reviewed-By: Alexander Bokovoy --- diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif index 8dd9068..c89bd3e 100644 --- a/install/share/default-hbac.ldif +++ b/install/share/default-hbac.ldif @@ -21,7 +21,7 @@ cn: allow_systemd-user accessruletype: allow usercategory: all hostcategory: all -servicecategory: systemd-user +memberService: cn=systemd-user,cn=hbacservices,cn=hbac,$SUFFIX ipaenabledflag: TRUE description: Allow pam_systemd to run user@.service to create a system user session ipauniqueid: autogenerate diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index 1fb6450..8b2c84f 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -501,11 +501,17 @@ class TestIPACommand(IntegrationTest): tasks.kinit_admin(self.master) # check for presence self.master.run_command( - ['ipa', 'hbacrule-show', 'allow_systemd-user'] - ) - self.master.run_command( ['ipa', 'hbacsvc-show', 'systemd-user'] ) + result = self.master.run_command( + ['ipa', 'hbacrule-show', 'allow_systemd-user', '--all'] + ) + lines = set(l.strip() for l in result.stdout_text.split('\n')) + assert 'User category: all' in lines + assert 'Host category: all' in lines + assert 'Enabled: TRUE' in lines + assert 'Services: systemd-user' in lines + assert 'accessruletype: allow' in lines # delete both self.master.run_command(