subject:"\[Freeipa\-devel\] \[PATCH\] 981 set httpd_manage

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-14 Thread Rob Crittenden


Alexander Bokovoy wrote:

On Mon, 12 Mar 2012, Rob Crittenden wrote:

Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Mon, 12 Mar 2012, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Wed, 07 Mar 2012, Rob Crittenden wrote:


Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.

This is being done in the HTTP instance so we can set both booleans
in one step and save a bit of time (it is still slow).

I would prefer all platform-specific manipulations of security
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.



I'd prefer to keep the change simple for now and do the big move post
2.2.

ACK on condition you'd file a ticket for the post 2.2 work.

:)


Filed this https://fedorahosted.org/freeipa/ticket/2519

I found an issue with this patch that I need to address, will submit a
replacement.

rob


Handle things better if a boolean doesn't exist.

Lucky that setsebool takes multiple booleans at the same time...
Maybe it would make sense to merge bools upon recover?

Otherwise ACK.



pushed to master and ipa-2-2

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-12 Thread Rob Crittenden


Alexander Bokovoy wrote:

On Wed, 07 Mar 2012, Rob Crittenden wrote:


Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.

This is being done in the HTTP instance so we can set both booleans
in one step and save a bit of time (it is still slow).

I would prefer all platform-specific manipulations of security
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.



I'd prefer to keep the change simple for now and do the big move post 2.2.

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-12 Thread Alexander Bokovoy

On Mon, 12 Mar 2012, Rob Crittenden wrote:
 Alexander Bokovoy wrote:
 On Wed, 07 Mar 2012, Rob Crittenden wrote:
 
 Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
 enforcing mode.
 
 This is being done in the HTTP instance so we can set both booleans
 in one step and save a bit of time (it is still slow).
 I would prefer all platform-specific manipulations of security
 policies to be moved to platform-specific module.
 
 Make a HTTP class there (like I did dirsrv class in systemd
 backend) and perform manipulations on service enable.
 
 This way main code will stay clear of platform-specific code.
 
 Sorry for not looking into the issue before.
 
 
 I'd prefer to keep the change simple for now and do the big move post 2.2.
ACK on condition you'd file a ticket for the post 2.2 work.

:)

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-12 Thread Rob Crittenden


Alexander Bokovoy wrote:

On Mon, 12 Mar 2012, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Wed, 07 Mar 2012, Rob Crittenden wrote:


Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.

This is being done in the HTTP instance so we can set both booleans
in one step and save a bit of time (it is still slow).

I would prefer all platform-specific manipulations of security
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.



I'd prefer to keep the change simple for now and do the big move post 2.2.

ACK on condition you'd file a ticket for the post 2.2 work.

:)


Filed this https://fedorahosted.org/freeipa/ticket/2519

I found an issue with this patch that I need to address, will submit a 
replacement.


rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-12 Thread Rob Crittenden


Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Mon, 12 Mar 2012, Rob Crittenden wrote:

Alexander Bokovoy wrote:

On Wed, 07 Mar 2012, Rob Crittenden wrote:


Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
enforcing mode.

This is being done in the HTTP instance so we can set both booleans
in one step and save a bit of time (it is still slow).

I would prefer all platform-specific manipulations of security
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.



I'd prefer to keep the change simple for now and do the big move post
2.2.

ACK on condition you'd file a ticket for the post 2.2 work.

:)


Filed this https://fedorahosted.org/freeipa/ticket/2519

I found an issue with this patch that I need to address, will submit a
replacement.

rob


Handle things better if a boolean doesn't exist.

rob

From 6e2b7a99123f34660de97639dd78e7b9b172dccc Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
 work.

This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
---
 ipaserver/install/httpinstance.py |   59 
 1 files changed, 33 insertions(+), 26 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204b..60d5604 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,11 @@ HTTPD_DIR = /etc/httpd
 SSL_CONF = HTTPD_DIR + /conf.d/ssl.conf
 NSS_CONF = HTTPD_DIR + /conf.d/nss.conf
 
-selinux_warning = WARNING: could not set selinux boolean httpd_can_network_connect to true.
-The web interface may not function correctly until this boolean is
-successfully change with the command:
-   /usr/sbin/setsebool -P httpd_can_network_connect true
+selinux_warning = 
+WARNING: could not set selinux boolean(s) %(var)s to true.  The web
+interface may not function correctly until this boolean is successfully
+change with the command:
+   /usr/sbin/setsebool -P %(var)s true
 Try updating the policycoreutils and selinux-policy packages.
 
 
@@ -103,30 +104,35 @@ class HTTPInstance(service.Service):
 self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
 
 def __selinux_config(self):
-selinux=0
+selinux = False
 try:
 if (os.path.exists('/usr/sbin/selinuxenabled')):
 ipautil.run([/usr/sbin/selinuxenabled])
-selinux=1
+selinux = True
 except ipautil.CalledProcessError:
 # selinuxenabled returns 1 if not enabled
 pass
 
 if selinux:
-try:
-# returns e.g. httpd_can_network_connect -- off
-(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool,
-httpd_can_network_connect])
-self.backup_state(httpd_can_network_connect, stdout.split()[2])
-except:
-pass
-
-# Allow apache to connect to the turbogears web gui
-# This can still fail even if selinux is enabled
-try:
-ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, true])
-except:
-self.print_msg(selinux_warning)
+# Don't assume all vars are available
+vars = []
+for var in [httpd_can_network_connect, httpd_manage_ipa]:
+try:
+(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var])
+self.backup_state(var, stdout.split()[2])
+vars.append(var)
+except:
+pass
+
+# Allow apache to connect to the dogtag UI and the session cache
+# This can still fail even if selinux is enabled. Execute these
+# together so it is speedier.
+if vars:
+bools = [var + =true for var in vars]
+try:
+ipautil.run([/usr/sbin/setsebool, -P, ' '.join(bools)])
+except:
+self.print_msg(selinux_warning % dict(var=','.join(vars)))
 
 def __create_http_keytab(self):
 installutils.kadmin_addprinc(self.principal)
@@ -293,12 +299,13 @@ class HTTPInstance(service.Service):
 installutils.remove_file(/etc/httpd/conf.d/ipa.conf)
 installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf)
 
-sebool_state = self.restore_state(httpd_can_network_connect)
-if not sebool_state is None:
-try:
-

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-12 Thread Alexander Bokovoy

On Mon, 12 Mar 2012, Rob Crittenden wrote:
 Rob Crittenden wrote:
 Alexander Bokovoy wrote:
 On Mon, 12 Mar 2012, Rob Crittenden wrote:
 Alexander Bokovoy wrote:
 On Wed, 07 Mar 2012, Rob Crittenden wrote:
 
 Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
 enforcing mode.
 
 This is being done in the HTTP instance so we can set both booleans
 in one step and save a bit of time (it is still slow).
 I would prefer all platform-specific manipulations of security
 policies to be moved to platform-specific module.
 
 Make a HTTP class there (like I did dirsrv class in systemd
 backend) and perform manipulations on service enable.
 
 This way main code will stay clear of platform-specific code.
 
 Sorry for not looking into the issue before.
 
 
 I'd prefer to keep the change simple for now and do the big move post
 2.2.
 ACK on condition you'd file a ticket for the post 2.2 work.
 
 :)
 
 Filed this https://fedorahosted.org/freeipa/ticket/2519
 
 I found an issue with this patch that I need to address, will submit a
 replacement.
 
 rob
 
 Handle things better if a boolean doesn't exist.
Lucky that setsebool takes multiple booleans at the same time...
Maybe it would make sense to merge bools upon recover?

Otherwise ACK.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-08 Thread Alexander Bokovoy

On Wed, 07 Mar 2012, Rob Crittenden wrote:

 Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in
 enforcing mode.
 
 This is being done in the HTTP instance so we can set both booleans
 in one step and save a bit of time (it is still slow).
I would prefer all platform-specific manipulations of security 
policies to be moved to platform-specific module.

Make a HTTP class there (like I did dirsrv class in systemd 
backend) and perform manipulations on service enable.

This way main code will stay clear of platform-specific code.

Sorry for not looking into the issue before.

-- 
/ Alexander Bokovoy

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

2012-03-07 Thread Rob Crittenden

Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in 
enforcing mode.


This is being done in the HTTP instance so we can set both booleans in 
one step and save a bit of time (it is still slow).


rob
From 2794abe72ebbdc38503cdf3cc779fa41d6e14a92 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 7 Mar 2012 09:29:52 -0500
Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will
 work.

This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
---
 ipaserver/install/httpinstance.py |   43 +++--
 1 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index a23204be062d0f4ec895cdaf0c6a41d4ce54f4e3..75d80ac9abf91e97739239497b18097f03a8a93c 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -37,10 +37,10 @@ HTTPD_DIR = /etc/httpd
 SSL_CONF = HTTPD_DIR + /conf.d/ssl.conf
 NSS_CONF = HTTPD_DIR + /conf.d/nss.conf
 
-selinux_warning = WARNING: could not set selinux boolean httpd_can_network_connect to true.
+selinux_warning = WARNING: could not set selinux boolean %(var)s to true.
 The web interface may not function correctly until this boolean is
 successfully change with the command:
-   /usr/sbin/setsebool -P httpd_can_network_connect true
+   /usr/sbin/setsebool -P %(var)s true
 Try updating the policycoreutils and selinux-policy packages.
 
 
@@ -103,28 +103,28 @@ class HTTPInstance(service.Service):
 self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
 
 def __selinux_config(self):
-selinux=0
+selinux = False
 try:
 if (os.path.exists('/usr/sbin/selinuxenabled')):
 ipautil.run([/usr/sbin/selinuxenabled])
-selinux=1
+selinux = True
 except ipautil.CalledProcessError:
 # selinuxenabled returns 1 if not enabled
 pass
 
 if selinux:
+for var in [httpd_can_network_connect, httpd_manage_ipa]:
+try:
+(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var])
+self.backup_state(var, stdout.split()[2])
+except:
+pass
+
+# Allow apache to connect to the dogtag UI and the session cache
+# This can still fail even if selinux is enabled. Execute these
+# together so it is speedier. 
 try:
-# returns e.g. httpd_can_network_connect -- off
-(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool,
-httpd_can_network_connect])
-self.backup_state(httpd_can_network_connect, stdout.split()[2])
-except:
-pass
-
-# Allow apache to connect to the turbogears web gui
-# This can still fail even if selinux is enabled
-try:
-ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, true])
+ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect=true, httpd_manage_ipa=true])
 except:
 self.print_msg(selinux_warning)
 
@@ -293,12 +293,13 @@ class HTTPInstance(service.Service):
 installutils.remove_file(/etc/httpd/conf.d/ipa.conf)
 installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf)
 
-sebool_state = self.restore_state(httpd_can_network_connect)
-if not sebool_state is None:
-try:
-ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, sebool_state])
-except:
-self.print_msg(selinux_warning)
+for var in [httpd_can_network_connect, httpd_manage_ipa]:
+sebool_state = self.restore_state(var)
+if not sebool_state is None:
+try:
+ipautil.run([/usr/sbin/setsebool, -P, var, sebool_state])
+except:
+self.print_msg(selinux_warning % dict(var=var))
 
 if not running is None and running:
 self.start()
-- 
1.7.7.6

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

[Freeipa-devel] [PATCH] 981 set httpd_manage_ipa

8 matches

Site Navigation

Mail list logo

Footer information