#2986 selinuxusermap-mod --setattr for the hbacrule should accept user friendly hbacrule name instead of ldap DN
Closed: wontfix 5 years ago Opened 11 years ago by aakkiang.

"seealso" attribute is actually the attribute used underneath for the pointer to the HBAC rule.
selinuxusermap-mod --setattr interface for "seealso" attribute expects complete ldap DN value as shown in the following example 4. A friendly hbacrule name "allow_all" fails with error Invalid syntax (example 3).

Expected result: example 3 should be successful. selinuxusermap-mod --setattr for seealso should accept hbacrule name instead of ldap DN.

1. # ipa show-mappings selinuxusermap-add
Parameter      : LDAP attribute
=========      : ==============
selinuxuser    : ipaselinuxuser
hbacrule       : seealso
usercat        : usercategory
hostcat        : hostcategory
desc           : description
ipaenabledflag : ipaenabledflag

2. #  ipa selinuxusermap-add --selinuxuser=guest_u:s0 testselinuxusermap
-------------------------------------------
Added SELinux User Map "testselinuxusermap"
-------------------------------------------
  Rule name: testselinuxusermap
  SELinux User: guest_u:s0
  Enabled: TRUE

3. # ipa selinuxusermap-mod --setattr=seealso=allow_all testselinuxusermap
ipa: ERROR: seeAlso: value #0 invalid per syntax: Invalid syntax.

4. # ipa selinuxusermap-mod  --setattr=seealso=ipauniqueid=b0be50f4-d286-11e1-9426-021016980190,cn=hbac,dc=testrelm,dc=com  testselinuxusermap
----------------------------------------------
Modified SELinux User Map "testselinuxusermap"
----------------------------------------------
  Rule name: testselinuxusermap
  SELinux User: guest_u:s0
  HBAC Rule: allow_all
  Enabled: TRUE

This is working as designed.

If someone is using setattr then they need to know what they are doing. This option is specifically to give an admin more power, otherwise what is the difference between using the standard option?

Make an error message more meaningful and display the expected type of the attribute. The change will be across the whole project.

Releasing tickets from distant milestones.

Metadata Update from @aakkiang:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

7 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata