Tomas Babej wrote:
On 02/04/2013 04:21 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 01/30/2013 05:12 PM, Tomas Babej wrote:
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
I forgot to edit the man pages. Thanks Rob!
Updated patch attached.
Tomas
After a bit of off-line discussion I don't think we're quite ready yet
to require SELinux by default on client installations (even with a
flag to work around it). The feeling is this would be disruptive to
existing automation.
Can you still do the check but not enforce it, simply display a big
warning if SELinux is disabled?
rob
Sure, here is the updated patch.
I edited the commit message, RFE description and man pages according to
the new behaviour.
Tomas
The patch looks good, I'm just wondering about one thing. The default
value for is_selinux_enabled() is True in ipapython/services.py.in.
So this means that any non-Red Hat/non-Fedora system, by default, is
going to assume that SELinux is enabled.
My hesitation has to when we call check_selinux_status(). It may
incorrectly error out. I suspect that the user would have to work around
this using --allow-selinux-disabled but this wouldn't make a lot of
sense since they actually do have SELinux disabled.
What do you think?
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel