[SEMANAGE(tool)] Do not attempt to delete in-policy users

[SEMANAGE(tool)] Do not attempt to delete in-policy users

[Ivan Gyurdiev]

[-- Attachment #1: Type: text/plain, Size: 737 bytes --]

Hi, this patch shows how to properly use the exists function on delete.

The libsemanage delete operation will succeed if you try to delete an 
object that does not exist (no action is taken), so the user is left 
wondering why the object wasn't deleted, but no error was displayed. The 
del_local function checks if the user exists "locally" - not in-policy. 
The same is true for all functions that end in _local. You can't delete 
in-policy objects at this time (you can only modify them). To support 
deletion of in-policy objects we have to track the user deletion 
requests in a file, and then apply those on every policy upgrade. This 
is possible, but it's not currently implemented - didn't think it was a 
wanted feature.






[-- Attachment #2: semanage.exists_test.diff --]
[-- Type: text/x-patch, Size: 795 bytes --]

diff -Naurp --exclude-from excludes old/policycoreutils/semanage/semanage new/policycoreutils/semanage/semanage
--- old/policycoreutils/semanage/semanage	2005-11-29 10:55:01.000000000 -0500
+++ new/policycoreutils/semanage/semanage	2005-12-24 14:32:50.000000000 -0500
@@ -137,9 +137,12 @@ class seluserRecords:
 		
 	def delete(self, name):
 		(rc,k)=semanage_user_key_create(self.sh, name)
+		(rc,exists_local)= semanage_user_exists_local(self.sh, k)
 		(rc,exists)= semanage_user_exists(self.sh, k)
 		if not exists:
 			raise ValueError("user %s is not defined" % name)
+		if not exists_local:
+			raise ValueError("user %s is built into policy, and cannot be deleted" % name)
 		semanage_begin_transaction(self.sh)
 		semanage_user_del_local(self.sh, k)
 		if semanage_commit(self.sh) != 0: