Re: [Freeipa-devel] [PATCH] 246 Configure SELinux for httpd during upgrades

2012-04-04 Thread Rob Crittenden 

Martin Kosek wrote:

SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x -  2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603


ACK, pushed to master and ipa-2-2

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 246 Configure SELinux for httpd during upgrades

2012-04-03 Thread Martin Kosek 
SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x - 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603

From 846eb1d6153e9a5f97e25dbb75b858eed1a17b77 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Tue, 3 Apr 2012 10:47:40 +0200
Subject: [PATCH] Configure SELinux for httpd during upgrades

SELinux configuration for httpd instance was set for new
installations only. Upgraded IPA servers (namely 2.1.x - 2.2.x
upgrade) missed the configuration. This lead to AVCs when httpd
tries to contact ipa_memcached and user not being able to log in.

This patch updates ipa-upgradeconfig to configure SELinux
in the same way as ipa-server-install does.

https://fedorahosted.org/freeipa/ticket/2603
---
 install/tools/ipa-upgradeconfig   |   24 
 ipaserver/install/httpinstance.py |4 ++--
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 40a2b68ce89b58b98077428783a98e3060674665..a2a30249923ed127d2d68d312ad7abeb04627678 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -163,7 +163,7 @@ def check_certs():
 print Missing Certification Authority file.
 print You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt
 
-def upgrade_pki():
+def upgrade_pki(fstore):
 
 Update/add the dogtag proxy configuration. The IPA side of this is
 handled in ipa-pki-proxy.conf.
@@ -173,7 +173,6 @@ def upgrade_pki():
 if not os.path.exists('/etc/pki-ca/CS.cfg'):
 return
 
-fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
 http = httpinstance.HTTPInstance(fstore)
 http.enable_mod_nss_renegotiate()
 if not installutils.get_directive('/etc/pki-ca/CS.cfg',
@@ -222,13 +221,11 @@ def update_dbmodules(realm, filename=/etc/krb5.conf):
 fd.write(.join(newfile))
 fd.close()
 
-def cleanup_kdc():
+def cleanup_kdc(fstore):
 
 Clean up old KDC files if they exist. We need to remove the actual
 file and any references in the uninstall configuration.
 
-fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
-
 for file in ['kpasswd.keytab', 'ldappwd']:
 filename = '/var/kerberos/krb5kdc/%s' % file
 installutils.remove_file(filename)
@@ -244,6 +241,14 @@ def upgrade_ipa_profile(realm):
 if ca.enable_subject_key_identifier():
 ca.restart()
 
+def upgrade_httpd_selinux(fstore):
+
+Update SElinux configuration for httpd instance in the same way as the
+new server installation does.
+
+http = httpinstance.HTTPInstance(fstore)
+http.configure_selinux_for_httpd()
+
 def main():
 
 Get some basics about the system. If getting those basics fail then
@@ -254,6 +259,8 @@ def main():
 if not os.geteuid()==0:
 sys.exit(\nYou must be root to run this script.\n)
 
+fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+
 try:
 krbctx = krbV.default_context()
 except krbV.Krb5Error, e:
@@ -274,12 +281,13 @@ def main():
 upgrade(sub_dict, /etc/httpd/conf.d/ipa.conf, ipautil.SHARE_DIR + ipa.conf)
 upgrade(sub_dict, /etc/httpd/conf.d/ipa-rewrite.conf, ipautil.SHARE_DIR + ipa-rewrite.conf)
 upgrade(sub_dict, /etc/httpd/conf.d/ipa-pki-proxy.conf, ipautil.SHARE_DIR + ipa-pki-proxy.conf, add=True)
-upgrade_pki()
+upgrade_pki(fstore)
 update_dbmodules(krbctx.default_realm)
 uninstall_ipa_kpasswd()
 
-http = httpinstance.HTTPInstance()
+http = httpinstance.HTTPInstance(fstore)
 http.remove_httpd_ccache()
+http.configure_selinux_for_httpd()
 
 memcache = memcacheinstance.MemcacheInstance()
 memcache.ldapi = True
@@ -294,7 +302,7 @@ def main():
 except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry):
 pass
 
-cleanup_kdc()
+cleanup_kdc(fstore)
 upgrade_ipa_profile(krbctx.default_realm)
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e46d4ed5a19fb93398acf3c39cdefeafbac3ea9c..0a09c26f2d16af62b66bc5b9c24851f2cfd46158 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -86,7 +86,7 @@ class HTTPInstance(service.Service):
 self.step(publish CA cert, self.__publish_ca_cert)
 self.step(creating a keytab for httpd, self.__create_http_keytab)
 self.step(clean up any existing httpd ccache, self.remove_httpd_ccache)
-self.step(configuring SELinux for httpd, self.__selinux_config)
+self.step(configuring SELinux for httpd, self.configure_selinux_for_httpd)
 self.step(restarting httpd, self.__start)