On Tue, 2012-01-17 at 17:59 -0500, Rob Crittenden wrote:
> When deleting an HBAC rule we need to ensure that an SELinux user map
> isn't pointing at it. The search for this didn't work well at all.
> This patch corrects the search and makes it more specific.
> I also tested that it works with the --continue flag of hbacrule-del.
> The ticket has instructions on testing.
Works fine. There is just one part that is IMO too complicated:
+ hbacrule = options['seealso']
+ kw = dict(cn=hbacrule, all=True)
_entries = api.Command.hbacrule_find(None, **kw)['result']
- if _entries:
- options['seealso'] = _entries['dn']
+ found = False
+ # look for an exact match. The search may return partial
+ # matches.
+ for entry in _entries:
+ if entry['cn'] == hbacrule:
+ found = True
+ options['seealso'] = entry['dn']
+ if not found:
+ return dict(count=0, result=, truncated=False)
I think hbacrule_find(None, cn=HBACRULE) should not return partial
matches, but just the exact match (tried with hbacrule-find
--name=HBACRULE). Then the loop over entries wouldn't be needed.
Couldn't we simply call hbacrule_show since we want just one HBAC rule
with a known primary key?
Freeipa-devel mailing list