Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode.

This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow).


rob
>From 2794abe72ebbdc38503cdf3cc779fa41d6e14a92 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
 work.

This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
---
 ipaserver/install/httpinstance.py |   43 +++++++++++++++++++------------------
 1 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204be062d0f4ec895cdaf0c6a41d4ce54f4e3..75d80ac9abf91e97739239497b18097f03a8a93c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,10 @@ HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
 NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
 
-selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
+selinux_warning = """WARNING: could not set selinux boolean %(var)s to true.
 The web interface may not function correctly until this boolean is
 successfully change with the command:
-   /usr/sbin/setsebool -P httpd_can_network_connect true
+   /usr/sbin/setsebool -P %(var)s true
 Try updating the policycoreutils and selinux-policy packages.
 """
 
@@ -103,28 +103,28 @@ class HTTPInstance(service.Service):
         self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
 
     def __selinux_config(self):
-        selinux=0
+        selinux = False
         try:
             if (os.path.exists('/usr/sbin/selinuxenabled')):
                 ipautil.run(["/usr/sbin/selinuxenabled"])
-                selinux=1
+                selinux = True
         except ipautil.CalledProcessError:
             # selinuxenabled returns 1 if not enabled
             pass
 
         if selinux:
+            for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+                try:
+                    (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
+                    self.backup_state(var, stdout.split()[2])
+                except:
+                    pass
+
+            # Allow apache to connect to the dogtag UI and the session cache
+            # This can still fail even if selinux is enabled. Execute these
+            # together so it is speedier. 
             try:
-                # returns e.g. "httpd_can_network_connect --> off"
-                (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool",
-                                                "httpd_can_network_connect"])
-                self.backup_state("httpd_can_network_connect", stdout.split()[2])
-            except:
-                pass
-
-            # Allow apache to connect to the turbogears web gui
-            # This can still fail even if selinux is enabled
-            try:
-                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect=true", "httpd_manage_ipa=true"])
             except:
                 self.print_msg(selinux_warning)
 
@@ -293,12 +293,13 @@ class HTTPInstance(service.Service):
         installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
         installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
 
-        sebool_state = self.restore_state("httpd_can_network_connect")
-        if not sebool_state is None:
-            try:
-                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state])
-            except:
-                self.print_msg(selinux_warning)
+        for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+            sebool_state = self.restore_state(var)
+            if not sebool_state is None:
+                try:
+                    ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+                except:
+                    self.print_msg(selinux_warning % dict(var=var))
 
         if not running is None and running:
             self.start()
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to