Currently both hbac rules and selinuxusermap rules are associations so both have an enabled/disabled capability. If an selinuxusermap rule points to an hbac rule for its list of hosts and users it does not check to see if that hbac rule is enabled.
We should link the hbac rule enable/disabled to any selinuxusermap rules that point to it so that disabling/enabling the hbac rule will do the same in the selinuxusermap rule. The reverse will NOT be true, so the selinuxusermap rule can be disabled without affecting the hbac rule.
I do not think it is a problem. The linking to HBAC rule is used to reuse the association data already defined once. Whether the HBAC rule is enabled or disable does not matter. I think it works correctly as is.
Suggest closing as invalid.
Yes, I may be overly paranoid. My concern was a user saying "Oh gee, I don't want this HBAC Rule enabled any more" and yet any SELinux User Map rules pointing to it would still work fine. It may be unexpected behavior.
I think it is sufficient to document it.
Metadata Update from @rcritten: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.