Normally it's not possible to delete an HBAC rule if it's used by an SELinux user map. However, the current problem is, if there's an SELinux user map defined, it's not possible to remove any HBAC rule even though it's not used by the SELinux user map.
Consider the following SELinux user map, it's not using any HBAC rule:
# ipa selinuxusermap-add testselinux --selinuxuser=xguest_u:s0 ------------------------------------ Added SELinux User Map "testselinux" ------------------------------------ Rule name: testselinux SELinux User: xguest_u:s0 Enabled: TRUE
Add a new HBAC rule, then try to delete it:
# ipa hbacrule-add testhbac ----------------------- Added HBAC rule "testhbac" ----------------------- Rule name: testhbac Enabled: TRUE # ipa hbacrule-del testhbac ipa: ERROR: testhbac cannot be deleted because SELinux User Map testselinux requires it
The deletion will fail although there is no SELinux user map using it.
If the SELinux user map is deleted, the HBAC rule can be deleted:
# ipa selinuxusermap-del testselinux ------------------------------- Deleted SELinux User Map "testselinux" ------------------------------- # ipa hbacrule-del testhbac ------------------------ Deleted HBAC rule "testhbac" ------------------------
attachment freeipa-rcrit-927-selinux.patch
master: dbd87af
ipa-2-2: b1a580e
Metadata Update from @edewata: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/01
Login to comment on this ticket.