Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Alexander Bokovoy wrote: On Mon, 12 Mar 2012, Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 12 Mar 2012, Rob Crittenden wrote: Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. ACK on condition you'd file a ticket for the post 2.2 work. :) Filed this https://fedorahosted.org/freeipa/ticket/2519 I found an issue with this patch that I need to address, will submit a replacement. rob Handle things better if a boolean doesn't exist. Lucky that setsebool takes multiple booleans at the same time... Maybe it would make sense to merge bools upon recover? Otherwise ACK. pushed to master and ipa-2-2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
On Mon, 12 Mar 2012, Rob Crittenden wrote: Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. ACK on condition you'd file a ticket for the post 2.2 work. :) -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Alexander Bokovoy wrote: On Mon, 12 Mar 2012, Rob Crittenden wrote: Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. ACK on condition you'd file a ticket for the post 2.2 work. :) Filed this https://fedorahosted.org/freeipa/ticket/2519 I found an issue with this patch that I need to address, will submit a replacement. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 12 Mar 2012, Rob Crittenden wrote: Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. ACK on condition you'd file a ticket for the post 2.2 work. :) Filed this https://fedorahosted.org/freeipa/ticket/2519 I found an issue with this patch that I need to address, will submit a replacement. rob Handle things better if a boolean doesn't exist. rob From 6e2b7a99123f34660de97639dd78e7b9b172dccc Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 7 Mar 2012 09:29:52 -0500 Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will work. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). https://fedorahosted.org/freeipa/ticket/2432 --- ipaserver/install/httpinstance.py | 59 1 files changed, 33 insertions(+), 26 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index a23204b..60d5604 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -37,10 +37,11 @@ HTTPD_DIR = /etc/httpd SSL_CONF = HTTPD_DIR + /conf.d/ssl.conf NSS_CONF = HTTPD_DIR + /conf.d/nss.conf -selinux_warning = WARNING: could not set selinux boolean httpd_can_network_connect to true. -The web interface may not function correctly until this boolean is -successfully change with the command: - /usr/sbin/setsebool -P httpd_can_network_connect true +selinux_warning = +WARNING: could not set selinux boolean(s) %(var)s to true. The web +interface may not function correctly until this boolean is successfully +change with the command: + /usr/sbin/setsebool -P %(var)s true Try updating the policycoreutils and selinux-policy packages. @@ -103,30 +104,35 @@ class HTTPInstance(service.Service): self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) def __selinux_config(self): -selinux=0 +selinux = False try: if (os.path.exists('/usr/sbin/selinuxenabled')): ipautil.run([/usr/sbin/selinuxenabled]) -selinux=1 +selinux = True except ipautil.CalledProcessError: # selinuxenabled returns 1 if not enabled pass if selinux: -try: -# returns e.g. httpd_can_network_connect -- off -(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, -httpd_can_network_connect]) -self.backup_state(httpd_can_network_connect, stdout.split()[2]) -except: -pass - -# Allow apache to connect to the turbogears web gui -# This can still fail even if selinux is enabled -try: -ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, true]) -except: -self.print_msg(selinux_warning) +# Don't assume all vars are available +vars = [] +for var in [httpd_can_network_connect, httpd_manage_ipa]: +try: +(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var]) +self.backup_state(var, stdout.split()[2]) +vars.append(var) +except: +pass + +# Allow apache to connect to the dogtag UI and the session cache +# This can still fail even if selinux is enabled. Execute these +# together so it is speedier. +if vars: +bools = [var + =true for var in vars] +try: +ipautil.run([/usr/sbin/setsebool, -P, ' '.join(bools)]) +except: +self.print_msg(selinux_warning % dict(var=','.join(vars))) def __create_http_keytab(self): installutils.kadmin_addprinc(self.principal) @@ -293,12 +299,13 @@ class HTTPInstance(service.Service): installutils.remove_file(/etc/httpd/conf.d/ipa.conf) installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf) -sebool_state = self.restore_state(httpd_can_network_connect) -if not sebool_state is None: -try: -
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
On Mon, 12 Mar 2012, Rob Crittenden wrote: Rob Crittenden wrote: Alexander Bokovoy wrote: On Mon, 12 Mar 2012, Rob Crittenden wrote: Alexander Bokovoy wrote: On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. I'd prefer to keep the change simple for now and do the big move post 2.2. ACK on condition you'd file a ticket for the post 2.2 work. :) Filed this https://fedorahosted.org/freeipa/ticket/2519 I found an issue with this patch that I need to address, will submit a replacement. rob Handle things better if a boolean doesn't exist. Lucky that setsebool takes multiple booleans at the same time... Maybe it would make sense to merge bools upon recover? Otherwise ACK. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
On Wed, 07 Mar 2012, Rob Crittenden wrote: Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). I would prefer all platform-specific manipulations of security policies to be moved to platform-specific module. Make a HTTP class there (like I did dirsrv class in systemd backend) and perform manipulations on service enable. This way main code will stay clear of platform-specific code. Sorry for not looking into the issue before. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 981 set httpd_manage_ipa
Set SELinux boolean httpd_manage_ipa so ipa_memcached will work in enforcing mode. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). rob From 2794abe72ebbdc38503cdf3cc779fa41d6e14a92 Mon Sep 17 00:00:00 2001 From: Rob Crittenden rcrit...@redhat.com Date: Wed, 7 Mar 2012 09:29:52 -0500 Subject: [PATCH] Set SELinux boolean httpd_manage_ipa so ipa_memcached will work. This is being done in the HTTP instance so we can set both booleans in one step and save a bit of time (it is still slow). https://fedorahosted.org/freeipa/ticket/2432 --- ipaserver/install/httpinstance.py | 43 +++-- 1 files changed, 22 insertions(+), 21 deletions(-) diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index a23204be062d0f4ec895cdaf0c6a41d4ce54f4e3..75d80ac9abf91e97739239497b18097f03a8a93c 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -37,10 +37,10 @@ HTTPD_DIR = /etc/httpd SSL_CONF = HTTPD_DIR + /conf.d/ssl.conf NSS_CONF = HTTPD_DIR + /conf.d/nss.conf -selinux_warning = WARNING: could not set selinux boolean httpd_can_network_connect to true. +selinux_warning = WARNING: could not set selinux boolean %(var)s to true. The web interface may not function correctly until this boolean is successfully change with the command: - /usr/sbin/setsebool -P httpd_can_network_connect true + /usr/sbin/setsebool -P %(var)s true Try updating the policycoreutils and selinux-policy packages. @@ -103,28 +103,28 @@ class HTTPInstance(service.Service): self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) def __selinux_config(self): -selinux=0 +selinux = False try: if (os.path.exists('/usr/sbin/selinuxenabled')): ipautil.run([/usr/sbin/selinuxenabled]) -selinux=1 +selinux = True except ipautil.CalledProcessError: # selinuxenabled returns 1 if not enabled pass if selinux: +for var in [httpd_can_network_connect, httpd_manage_ipa]: +try: +(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var]) +self.backup_state(var, stdout.split()[2]) +except: +pass + +# Allow apache to connect to the dogtag UI and the session cache +# This can still fail even if selinux is enabled. Execute these +# together so it is speedier. try: -# returns e.g. httpd_can_network_connect -- off -(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, -httpd_can_network_connect]) -self.backup_state(httpd_can_network_connect, stdout.split()[2]) -except: -pass - -# Allow apache to connect to the turbogears web gui -# This can still fail even if selinux is enabled -try: -ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, true]) +ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect=true, httpd_manage_ipa=true]) except: self.print_msg(selinux_warning) @@ -293,12 +293,13 @@ class HTTPInstance(service.Service): installutils.remove_file(/etc/httpd/conf.d/ipa.conf) installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf) -sebool_state = self.restore_state(httpd_can_network_connect) -if not sebool_state is None: -try: -ipautil.run([/usr/sbin/setsebool, -P, httpd_can_network_connect, sebool_state]) -except: -self.print_msg(selinux_warning) +for var in [httpd_can_network_connect, httpd_manage_ipa]: +sebool_state = self.restore_state(var) +if not sebool_state is None: +try: +ipautil.run([/usr/sbin/setsebool, -P, var, sebool_state]) +except: +self.print_msg(selinux_warning % dict(var=var)) if not running is None and running: self.start() -- 1.7.7.6 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel