URL: https://github.com/freeipa/freeipa/pull/796 Author: MartinBasti Title: #796: [WIP] Move selinux booleans to ipaplatform Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/796/head:pr796 git checkout pr796
From 95565fa130df69b25db28c5d5bbffeda31df9602 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 18 May 2017 17:19:23 +0200 Subject: [PATCH 1/2] httpd: move SELinux settings to constants SELinux is platform dependend, moving boolean setting to platform module. --- ipaplatform/base/constants.py | 6 ++++++ ipaserver/install/httpinstance.py | 11 ++--------- ipaserver/install/ipa_restore.py | 2 +- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index dccb0e7191..8b98b06fe9 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -27,4 +27,10 @@ class BaseConstantsNamespace(object): ODS_GROUP = "ods" # nfsd init variable used to enable kerberized NFS SECURE_NFS_VAR = "SECURE_NFS" + SELINUX_BOOLEAN_HTTPD = { + 'httpd_can_network_connect': 'on', + 'httpd_manage_ipa': 'on', + 'httpd_run_ipa': 'on', + 'httpd_dbus_sssd': 'on', + } SSSD_USER = "sssd" diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index c76a1a4e48..608652033e 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -50,13 +50,6 @@ from ipaplatform.paths import paths from ipaplatform import services -SELINUX_BOOLEAN_SETTINGS = dict( - httpd_can_network_connect='on', - httpd_manage_ipa='on', - httpd_run_ipa='on', - httpd_dbus_sssd='on', -) - HTTPD_USER = constants.HTTPD_USER KDCPROXY_USER = constants.KDCPROXY_USER @@ -193,7 +186,7 @@ def __enable(self): def configure_selinux_for_httpd(self): try: - tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, + tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_HTTPD, self.backup_state) except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('web interface')) @@ -556,7 +549,7 @@ def uninstall(self): # Restore SELinux boolean states boolean_states = {name: self.restore_state(name) - for name in SELINUX_BOOLEAN_SETTINGS} + for name in constants.SELINUX_BOOLEAN_HTTPD} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 96fc493c77..da66e9cbe0 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -796,7 +796,7 @@ def __create_dogtag_log_dirs(self): self.log.error('Problem with %s: %s' % (dir, e)) def restore_selinux_booleans(self): - bools = dict(httpinstance.SELINUX_BOOLEAN_SETTINGS) + bools = dict(constants.SELINUX_BOOLEAN_HTTPD) if 'ADTRUST' in self.backup_services: if adtrustinstance: bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS) From 8881f948490764b3eb5c13bb5342054537ed3d30 Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Thu, 18 May 2017 17:23:54 +0200 Subject: [PATCH 2/2] adtrust: move SELinux settings to constants SELinux is platform dependend, moving boolean setting to platform module. --- ipaplatform/base/constants.py | 3 +++ ipaserver/install/adtrustinstance.py | 7 +++---- ipaserver/install/ipa_restore.py | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 8b98b06fe9..6592c63d97 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -27,6 +27,9 @@ class BaseConstantsNamespace(object): ODS_GROUP = "ods" # nfsd init variable used to enable kerberized NFS SECURE_NFS_VAR = "SECURE_NFS" + SELINUX_BOOLEAN_ADTRUST = { + 'samba_portmapper': 'on', + } SELINUX_BOOLEAN_HTTPD = { 'httpd_can_network_connect': 'on', 'httpd_manage_ipa': 'on', diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index b4db055045..66dd6b57b6 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -45,6 +45,7 @@ import ipaclient.install.ipachangeconf from ipaplatform import services +from ipaplatform.constants import constants from ipaplatform.paths import paths from ipaplatform.tasks import tasks @@ -60,8 +61,6 @@ and re-run ipa-adtrust-instal again afterwards. """ -SELINUX_BOOLEAN_SETTINGS = {'samba_portmapper': 'on'} - def check_inst(): for smbfile in [paths.SMBD, paths.NET]: @@ -593,7 +592,7 @@ def __add_dns_service_records(self): def __configure_selinux_for_smbd(self): try: - tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, + tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_ADTRUST, self.backup_state) except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('adtrust service')) @@ -880,7 +879,7 @@ def uninstall(self): # Restore the state of affected selinux booleans boolean_states = {name: self.restore_state(name) - for name in SELINUX_BOOLEAN_SETTINGS} + for name in constants.SELINUX_BOOLEAN_ADTRUST} try: tasks.set_selinux_booleans(boolean_states) except ipapython.errors.SetseboolError as e: diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index da66e9cbe0..f786c746bb 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -799,7 +799,7 @@ def restore_selinux_booleans(self): bools = dict(constants.SELINUX_BOOLEAN_HTTPD) if 'ADTRUST' in self.backup_services: if adtrustinstance: - bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS) + bools.update(constants.SELINUX_BOOLEAN_ADTRUST) else: self.log.error( 'The AD trust package was not found, '
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org