Tomas Babej wrote:
On 02/04/2013 04:21 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 01/30/2013 05:12 PM, Tomas Babej wrote:

The checks make sure that SELinux is:
  - installed and enabled (on server install)
  - installed and enabled OR not installed (on client install)

Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)

The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.

Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.


I forgot to edit the man pages. Thanks Rob!

Updated patch attached.


After a bit of off-line discussion I don't think we're quite ready yet
to require SELinux by default on client installations (even with a
flag to work around it). The feeling is this would be disruptive to
existing automation.

Can you still do the check but not enforce it, simply display a big
warning if SELinux is disabled?


Sure, here is the updated patch.

I edited the commit message, RFE description and man pages according to
the new behaviour.


The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/

So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled.

My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled.

What do you think?


Freeipa-devel mailing list

Reply via email to