On Mon, Jul 23, 2012 at 09:08:52AM +0200, Jan Zelený wrote: > Dne pondělí 23 července 2012 08:16:30, Jan Zelený napsal(a): > > Dne pátek 20 července 2012 21:19:08, Jakub Hrozek napsal(a): > > > On Fri, Jul 20, 2012 at 05:51:29PM +0200, Jan Zelený wrote: > > > > Dne pátek 20 července 2012 17:46:33, Jakub Hrozek napsal(a): > > > > > On Fri, Jul 20, 2012 at 05:27:44PM +0200, Jan Zelený wrote: > > > > > > > Oh right, it's and HBAC attribute.. > > > > > > > > > > > > > > Can't you just include ipa_hbac_private.h, then? > > > > > > > > > > > > I didn't exactly like that solution either so I moved those two > > > > > > constants > > > > > > to ipa_hbac.h which is supposed to be a public HBAC interface. The > > > > > > "right > > > > > > solution" would be to construct a map for HBAC rules, I know we > > > > > > discussed > > > > > > this with Stephen several months back but we never really got to do > > > > > > that. > > > > > > > > > > ipa_hbac.h is a public header of libipa_hbac, included in > > > > > libipa_hbac-devel. The attribute names don't have to be in the public > > > > > interface, I think that including the ipa_hbac_private.h header is > > > > > just > > > > > fine. > > > > > > > > Well, it's probably the best of bad options. Patches attached. > > > > > > > > Jan > > > > > > Nack, these patches still don't work. Here is my setup: > > > > > > # ipa selinuxusermap-find > > > --------------------------- > > > 2 SELinux User Maps matched > > > --------------------------- > > > > > > Rule name: test_all_user_all_hosts > > > SELinux User: xguest_u:s0 > > > User category: all > > > Host category: all > > > Enabled: TRUE > > > > > > Rule name: test_user_all_hosts > > > SELinux User: user_u:s0-s0:c0.c1023 > > > Host category: all > > > Enabled: TRUE > > > Users: tuser1 > > > > > > I'm logging in as tuser1, so I was expecting to get > > > "user_u:s0-s0:c0.c1023", however neither of the maps match and I'm left > > > with the default. > > > > Could you please provide some more information like log files and cache? I > > have re-tested everything on my setup and it performs as expected. > > > > Thanks > > Jan > > Never mind. I tried to play with my setup a bit and I eventually found the > issue myself. It was rather stupid copy-paste error, sorry for the > inconvenience. > > Sending corrected patch set. > > Jan
The first two patches work fine now, ack. I'll also push them to master so that Rob has something to test. Specificity of SELinux user mappings linked with HBAC rules still doesn't work, though. Because most probably we'll be doing a relase today, I've filed a new ticket so we can track this issue on its own: https://fedorahosted.org/sssd/ticket/1435 _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel