Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Mon, 12 Mar 2012, Rob Crittenden wrote:
Alexander Bokovoy wrote:
On Wed, 07 Mar 2012, Rob Crittenden wrote:

Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.

This is being done in the HTTP instance so we can set both booleans
in one step and save a bit of time (it is still slow).
I would prefer all platform-specific manipulations of security
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.


I'd prefer to keep the change simple for now and do the big move post
2.2.
ACK on condition you'd file a ticket for the post 2.2 work.

:)

Filed this https://fedorahosted.org/freeipa/ticket/2519

I found an issue with this patch that I need to address, will submit a
replacement.

rob

Handle things better if a boolean doesn't exist.

rob

>From 6e2b7a99123f34660de97639dd78e7b9b172dccc Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
 work.

This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
---
 ipaserver/install/httpinstance.py |   59 ++++++++++++++++++++----------------
 1 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204b..60d5604 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,11 @@ HTTPD_DIR = "/etc/httpd"
 SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
 NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
 
-selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true.
-The web interface may not function correctly until this boolean is
-successfully change with the command:
-   /usr/sbin/setsebool -P httpd_can_network_connect true
+selinux_warning = """
+WARNING: could not set selinux boolean(s) %(var)s to true.  The web
+interface may not function correctly until this boolean is successfully
+change with the command:
+   /usr/sbin/setsebool -P %(var)s true
 Try updating the policycoreutils and selinux-policy packages.
 """
 
@@ -103,30 +104,35 @@ class HTTPInstance(service.Service):
         self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
 
     def __selinux_config(self):
-        selinux=0
+        selinux = False
         try:
             if (os.path.exists('/usr/sbin/selinuxenabled')):
                 ipautil.run(["/usr/sbin/selinuxenabled"])
-                selinux=1
+                selinux = True
         except ipautil.CalledProcessError:
             # selinuxenabled returns 1 if not enabled
             pass
 
         if selinux:
-            try:
-                # returns e.g. "httpd_can_network_connect --> off"
-                (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool",
-                                                "httpd_can_network_connect"])
-                self.backup_state("httpd_can_network_connect", stdout.split()[2])
-            except:
-                pass
-
-            # Allow apache to connect to the turbogears web gui
-            # This can still fail even if selinux is enabled
-            try:
-                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
-            except:
-                self.print_msg(selinux_warning)
+            # Don't assume all vars are available
+            vars = []
+            for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+                try:
+                    (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
+                    self.backup_state(var, stdout.split()[2])
+                    vars.append(var)
+                except:
+                    pass
+
+            # Allow apache to connect to the dogtag UI and the session cache
+            # This can still fail even if selinux is enabled. Execute these
+            # together so it is speedier.
+            if vars:
+                bools = [var + "=true" for var in vars]
+                try:
+                    ipautil.run(["/usr/sbin/setsebool", "-P", ' '.join(bools)])
+                except:
+                    self.print_msg(selinux_warning % dict(var=','.join(vars)))
 
     def __create_http_keytab(self):
         installutils.kadmin_addprinc(self.principal)
@@ -293,12 +299,13 @@ class HTTPInstance(service.Service):
         installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
         installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
 
-        sebool_state = self.restore_state("httpd_can_network_connect")
-        if not sebool_state is None:
-            try:
-                ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state])
-            except:
-                self.print_msg(selinux_warning)
+        for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
+            sebool_state = self.restore_state(var)
+            if not sebool_state is None:
+                try:
+                    ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
+                except:
+                    self.print_msg(selinux_warning % dict(var=var))
 
         if not running is None and running:
             self.start()
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to