Issue #2986: selinuxusermap-mod --setattr for the hbacrule should accept user friendly hbacrule name instead of ldap DN - freeipa

freeipa

#2986 selinuxusermap-mod --setattr for the hbacrule should accept user friendly hbacrule name instead of ldap DN

Closed: wontfix 6 years ago Opened 12 years ago by aakkiang.

"seealso" attribute is actually the attribute used underneath for the pointer to the HBAC rule.
selinuxusermap-mod --setattr interface for "seealso" attribute expects complete ldap DN value as shown in the following example 4. A friendly hbacrule name "allow_all" fails with error Invalid syntax (example 3).

Expected result: example 3 should be successful. selinuxusermap-mod --setattr for seealso should accept hbacrule name instead of ldap DN.

1. # ipa show-mappings selinuxusermap-add
Parameter      : LDAP attribute
=========      : ==============
selinuxuser    : ipaselinuxuser
hbacrule       : seealso
usercat        : usercategory
hostcat        : hostcategory
desc           : description
ipaenabledflag : ipaenabledflag

2. #  ipa selinuxusermap-add --selinuxuser=guest_u:s0 testselinuxusermap
-------------------------------------------
Added SELinux User Map "testselinuxusermap"
-------------------------------------------
  Rule name: testselinuxusermap
  SELinux User: guest_u:s0
  Enabled: TRUE

3. # ipa selinuxusermap-mod --setattr=seealso=allow_all testselinuxusermap
ipa: ERROR: seeAlso: value #0 invalid per syntax: Invalid syntax.

4. # ipa selinuxusermap-mod  --setattr=seealso=ipauniqueid=b0be50f4-d286-11e1-9426-021016980190,cn=hbac,dc=testrelm,dc=com  testselinuxusermap
----------------------------------------------
Modified SELinux User Map "testselinuxusermap"
----------------------------------------------
  Rule name: testselinuxusermap
  SELinux User: guest_u:s0
  HBAC Rule: allow_all
  Enabled: TRUE

rcritten commented 12 years ago

This is working as designed.

If someone is using setattr then they need to know what they are doing. This option is specifically to give an admin more power, otherwise what is the difference between using the standard option?

dpal commented 12 years ago

Make an error message more meaningful and display the expected type of the attribute. The change will be across the whole project.

tbabej commented 10 years ago

Releasing tickets from distant milestones.

Metadata Update from @aakkiang:
- Issue assigned to someone
- Issue set to the milestone: Ticket Backlog

8 years ago

rcritten commented 6 years ago

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.

Metadata Update from @rcritten:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

Ticket Backlog

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

IPA

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

tester

None

changelog

None

design

None

rhbz

todo

freeipa

Source Code

#2986 selinuxusermap-mod --setattr for the hbacrule should accept user friendly hbacrule name instead of ldap DN Closed: wontfix 6 years ago Opened 12 years ago by aakkiang.

Metadata

#2986 selinuxusermap-mod --setattr for the hbacrule should accept user friendly hbacrule name instead of ldap DN

Closed: wontfix 6 years ago Opened 12 years ago by aakkiang.