Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.
This is being done in the HTTP instance so we can set both booleans in
one step and save a bit of time (it is still slow).
rob
>From 2794abe72ebbdc38503cdf3cc779fa41d6e14a92 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
work.
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).
https://fedorahosted.org/freeipa/ticket/2432
---
ipaserver/install/httpinstance.py | 43 +++++++++++++++++++------------------
1 files changed, 22 insertions(+), 21 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204be062d0f4ec895cdaf0c6a41d4ce54f4e3..75d80ac9abf91e97739239497b18097f03a8a93c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,10 @@ HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
-selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
+selinux_warning = """WARNING: could not set selinux boolean %(var)s to true.
The web interface may not function correctly until this boolean is
successfully change with the command:
- /usr/sbin/setsebool -P httpd_can_network_connect true
+ /usr/sbin/setsebool -P %(var)s true
Try updating the policycoreutils and selinux-policy packages.
"""
@@ -103,28 +103,28 @@ class HTTPInstance(service.Service):
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
def __selinux_config(self):
- selinux=0
+ selinux = False
try:
if (os.path.exists('/usr/sbin/selinuxenabled')):
ipautil.run(["/usr/sbin/selinuxenabled"])
- selinux=1
+ selinux = True
except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled
pass
if selinux:
+ for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+ try:
+ (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
+ self.backup_state(var, stdout.split()[2])
+ except:
+ pass
+
+ # Allow apache to connect to the dogtag UI and the session cache
+ # This can still fail even if selinux is enabled. Execute these
+ # together so it is speedier.
try:
- # returns e.g. "httpd_can_network_connect --> off"
- (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool",
- "httpd_can_network_connect"])
- self.backup_state("httpd_can_network_connect", stdout.split()[2])
- except:
- pass
-
- # Allow apache to connect to the turbogears web gui
- # This can still fail even if selinux is enabled
- try:
- ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
+ ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect=true", "httpd_manage_ipa=true"])
except:
self.print_msg(selinux_warning)
@@ -293,12 +293,13 @@ class HTTPInstance(service.Service):
installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
- sebool_state = self.restore_state("httpd_can_network_connect")
- if not sebool_state is None:
- try:
- ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state])
- except:
- self.print_msg(selinux_warning)
+ for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+ sebool_state = self.restore_state(var)
+ if not sebool_state is None:
+ try:
+ ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+ except:
+ self.print_msg(selinux_warning % dict(var=var))
if not running is None and running:
self.start()
--
1.7.7.6
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel