There is no error if an already enabled HBAC rule will be enabled with hbacrule_enable and also not if an already disabled HBAC rule will be disabled with hbacrule_disable.
# ipa hbacrule-add test ---------------------- Added HBAC rule "test" ---------------------- Rule name: test Enabled: TRUE # ipa hbacrule-enable test ------------------------ Enabled HBAC rule "test" ------------------------ # ipa hbacrule-enable test ------------------------ Enabled HBAC rule "test" ------------------------ # echo $? 0
A failure that the rule is already enabled (or disabled for hbacrule_disable).
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 ipa-client-4.8.0-11.module+el8.1.0+4247+9f3fd721.x86_64 389-ds-base-1.4.1.3-1.module+el8.1.0+3259+a5bc8ad3.x86_64 pki-ca-10.7.3-1.module+el8.1.0+3964+500fc130.noarch krb5-server-1.17-9.el8.x86_64
This is also an issue in older releases.
Metadata Update from @pcech: - Issue tagged with: Falcon
The plugin deliberately ignores and silences EmptyModList, see https://github.com/freeipa/freeipa/blob/c0b0c6b4b598acd7a867594d91b7f7cff47d2e5e/ipaserver/plugins/hbacrule.py#L397-L400
EmptyModList
According to git history it has been ignoring the problem since at least 2009. Other plugins like certmaprule_enable and sudorule_enable also ignore EmptyModList. selinuxusermap_enable fails with AlreadyActive. If you are going to change the plugin and break backwards compatibility, then it might be a good idea to check all plugins for consistency.
certmaprule_enable
sudorule_enable
selinuxusermap_enable
AlreadyActive
Log in to comment on this ticket.