Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 04/08/2013 12:28 PM, Tomas Babej wrote: On 04/05/2013 07:43 PM, Rob Crittenden wrote: Tomas Babej wrote: On 04/04/2013 04:25 PM, Rob Crittenden wrote: Tomas Babej wrote: On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote: On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas Sorry, wrong patch. Correct version attached. Tomas I'm sorry to throw this back again after so long (and having agreed with the approach). So I was thinking about how another distro maintainer would have to deal with this. By default with this patch check_selinux_status() returns None which is evaluated as False, so the warning will get thrown. If they set it to be True to avoid the warning then other things may blow up because SELinux really isn't enabled, so we really haven't gotten anywhere. I think the problem is we're trying to cram too much into one function. I wonder if a is_selinux_available() command would help which would short-circuit all of this. While trying to figure out how this worked I found httpinstance.configure_selinux_for_httpd() which makes a similar call to see if SELinux is available, so maybe we should convert that as well. rob I added the is_selinux_available function. Both is_selinux_enabled and is_selinux_available default to False in services.py.in. Maintainer that would want to implement platform file, would have to implement both functions for server install. We require SELinux for server anyway. For client installs, default versions work fine. I converted httpinstance.configure_selinux_for_httpd() to use is_selinux_enabled(). I also found a similar call in adtrustinstance.py Ok, this is getting us closer, and opens a philosophical discussion. As implemented, this forces SELinux to be at least be available on the box, and by default required to be enabled. This is our strong recommendation for all users. There is a flag to allow it be in permissive, which will help people work around any policy issues or if they don't want SELinux. They'd still have to run without it completely disabled though. This does leave other platforms in a bad place though, there is no out for them. How about adding a require_selinux() call to the platform code defaulting to Tr
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 04/05/2013 07:43 PM, Rob Crittenden wrote: Tomas Babej wrote: On 04/04/2013 04:25 PM, Rob Crittenden wrote: Tomas Babej wrote: On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote: On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas Sorry, wrong patch. Correct version attached. Tomas I'm sorry to throw this back again after so long (and having agreed with the approach). So I was thinking about how another distro maintainer would have to deal with this. By default with this patch check_selinux_status() returns None which is evaluated as False, so the warning will get thrown. If they set it to be True to avoid the warning then other things may blow up because SELinux really isn't enabled, so we really haven't gotten anywhere. I think the problem is we're trying to cram too much into one function. I wonder if a is_selinux_available() command would help which would short-circuit all of this. While trying to figure out how this worked I found httpinstance.configure_selinux_for_httpd() which makes a similar call to see if SELinux is available, so maybe we should convert that as well. rob I added the is_selinux_available function. Both is_selinux_enabled and is_selinux_available default to False in services.py.in. Maintainer that would want to implement platform file, would have to implement both functions for server install. We require SELinux for server anyway. For client installs, default versions work fine. I converted httpinstance.configure_selinux_for_httpd() to use is_selinux_enabled(). I also found a similar call in adtrustinstance.py Ok, this is getting us closer, and opens a philosophical discussion. As implemented, this forces SELinux to be at least be available on the box, and by default required to be enabled. This is our strong recommendation for all users. There is a flag to allow it be in permissive, which will help people work around any policy issues or if they don't want SELinux. They'd still have to run without it completely disabled though. This does leave other platforms in a bad place though, there is no out for them. How about adding a require_selinux() call to the platform code defaulting to True. If someone wants to override that with False the
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Tomas Babej wrote: On 04/04/2013 04:25 PM, Rob Crittenden wrote: Tomas Babej wrote: On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote: On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas Sorry, wrong patch. Correct version attached. Tomas I'm sorry to throw this back again after so long (and having agreed with the approach). So I was thinking about how another distro maintainer would have to deal with this. By default with this patch check_selinux_status() returns None which is evaluated as False, so the warning will get thrown. If they set it to be True to avoid the warning then other things may blow up because SELinux really isn't enabled, so we really haven't gotten anywhere. I think the problem is we're trying to cram too much into one function. I wonder if a is_selinux_available() command would help which would short-circuit all of this. While trying to figure out how this worked I found httpinstance.configure_selinux_for_httpd() which makes a similar call to see if SELinux is available, so maybe we should convert that as well. rob I added the is_selinux_available function. Both is_selinux_enabled and is_selinux_available default to False in services.py.in. Maintainer that would want to implement platform file, would have to implement both functions for server install. We require SELinux for server anyway. For client installs, default versions work fine. I converted httpinstance.configure_selinux_for_httpd() to use is_selinux_enabled(). I also found a similar call in adtrustinstance.py Ok, this is getting us closer, and opens a philosophical discussion. As implemented, this forces SELinux to be at least be available on the box, and by default required to be enabled. This is our strong recommendation for all users. There is a flag to allow it be in permissive, which will help people work around any policy issues or if they don't want SELinux. They'd still have to run without it completely disabled though. This does leave other platforms in a bad place though, there is no out for them. How about adding a require_selinux() call to the platform code defaulting to True. If someone wants to override that with False they can. A call to that could be added inside the other is_selin
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 04/04/2013 04:25 PM, Rob Crittenden wrote: Tomas Babej wrote: On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote: On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas Sorry, wrong patch. Correct version attached. Tomas I'm sorry to throw this back again after so long (and having agreed with the approach). So I was thinking about how another distro maintainer would have to deal with this. By default with this patch check_selinux_status() returns None which is evaluated as False, so the warning will get thrown. If they set it to be True to avoid the warning then other things may blow up because SELinux really isn't enabled, so we really haven't gotten anywhere. I think the problem is we're trying to cram too much into one function. I wonder if a is_selinux_available() command would help which would short-circuit all of this. While trying to figure out how this worked I found httpinstance.configure_selinux_for_httpd() which makes a similar call to see if SELinux is available, so maybe we should convert that as well. rob I added the is_selinux_available function. Both is_selinux_enabled and is_selinux_available default to False in services.py.in. Maintainer that would want to implement platform file, would have to implement both functions for server install. We require SELinux for server anyway. For client installs, default versions work fine. I converted httpinstance.configure_selinux_for_httpd() to use is_selinux_enabled(). I also found a similar call in adtrustinstance.py Tomas >From b1a3be80c440681a1fc46da86db42bde5fa6dd4a Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Thu, 24 Jan 2013 15:37:21 -0500 Subject: [PATCH] Add checks for SELinux in install scripts The checks make sure that SELinux is: - installed and enabled, otherwise the installation aborts (on server install) - installed and enabled OR not installed, otherwise the warning message is displayed (on client install) The (unsupported) option --allow-selinux-disabled has been added. It can used to bypass the checks. Documented in man pages altered accordingly. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/fr
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Tomas Babej wrote: On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote: On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote: Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob I updated the patch accordingly. Tomas Sorry, wrong patch. Correct version attached. Tomas I'm sorry to throw this back again after so long (and having agreed with the approach). So I was thinking about how another distro maintainer would have to deal with this. By default with this patch check_selinux_status() returns None which is evaluated as False, so the warning will get thrown. If they set it to be True to avoid the warning then other things may blow up because SELinux really isn't enabled, so we really haven't gotten anywhere. I think the problem is we're trying to cram too much into one function. I wonder if a is_selinux_available() command would help which would short-circuit all of this. While trying to figure out how this worked I found httpinstance.configure_selinux_for_httpd() which makes a similar call to see if SELinux is available, so maybe we should convert that as well. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On Tue 02 Apr 2013 10:05:06 AM CEST, Tomas Babej wrote:
On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote:
Tomas Babej wrote:
On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote:
Tomas Babej wrote:
On 02/04/2013 04:21 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 01/30/2013 05:12 PM, Tomas Babej wrote:
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly
added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
I forgot to edit the man pages. Thanks Rob!
Updated patch attached.
Tomas
After a bit of off-line discussion I don't think we're quite ready
yet
to require SELinux by default on client installations (even with a
flag to work around it). The feeling is this would be disruptive to
existing automation.
Can you still do the check but not enforce it, simply display a big
warning if SELinux is disabled?
rob
Sure, here is the updated patch.
I edited the commit message, RFE description and man pages
according to
the new behaviour.
Tomas
The patch looks good, I'm just wondering about one thing. The default
value for is_selinux_enabled() is True in ipapython/services.py.in.
So this means that any non-Red Hat/non-Fedora system, by default, is
going to assume that SELinux is enabled.
My hesitation has to when we call check_selinux_status(). It may
incorrectly error out. I suspect that the user would have to work
around this using --allow-selinux-disabled but this wouldn't make a
lot of sense since they actually do have SELinux disabled.
Yes, you're right. And the error message would not even be helpful
since
it would tell the user to install policycoreutils package. This
would be
the
case both with server and client installs when selinux would not be
installed
at all.
What do you think?
rob
Well we have 2 options as I see it:
1.) We can either return None as default, and add checks to
check_selinux_status, restore_context and install scripts that would
ensure that we behave properly when is_selinux_enabled() is not
implemented.
2.) We can remove the default value, since it would cause forementioned
crash and add comment that this function needs to be implemented
properly in every platform file.
I'm probably for option 2, there's no need to clutter the code with
checks
that compensate for improper platform file implementations.
Tomas
I agree with you on option 2.
rob
I updated the patch accordingly.
Tomas
Sorry, wrong patch. Correct version attached.
Tomas
>From 63ec43f7fd06c337194455fa470abad4c60552d2 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 24 Jan 2013 15:37:21 -0500
Subject: [PATCH] Add checks for SELinux in install scripts
The checks make sure that SELinux is:
- installed and enabled, otherwise the installation aborts
(on server install)
- installed and enabled OR not installed, otherwise
the warning message is displayed (on client install)
The (unsupported) option --allow-selinux-disabled has been added. It can
used to bypass the checks. Documented in man pages altered accordingly.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
---
install/tools/ipa-server-install | 11 +++
install/tools/man/ipa-server-install.1| 3 ++
ipa-client/ipa-install/ipa-client-install | 17 ++
ipa-client/man/ipa-client-install.1 | 3 ++
ipapython/platform/fedora16/__init__.py | 3 +-
ipapython/platform/fedora16/selinux.py| 3 ++
ipapython/platform/fedora18/__init__.py | 3 +-
ipapython/platform/redhat/__init__.py | 53 +--
ipapython/services.py.in | 8 -
9 files changed, 78 insertions(+), 26 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a289941e43acb52fc30bbf3750652f0868e92651..483665b1b3e50996f5a6db30819f57dff53db8e2 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -159,6 +159,8 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On Mon 01 Apr 2013 10:01:14 PM CEST, Rob Crittenden wrote:
Tomas Babej wrote:
On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote:
Tomas Babej wrote:
On 02/04/2013 04:21 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 01/30/2013 05:12 PM, Tomas Babej wrote:
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
I forgot to edit the man pages. Thanks Rob!
Updated patch attached.
Tomas
After a bit of off-line discussion I don't think we're quite ready
yet
to require SELinux by default on client installations (even with a
flag to work around it). The feeling is this would be disruptive to
existing automation.
Can you still do the check but not enforce it, simply display a big
warning if SELinux is disabled?
rob
Sure, here is the updated patch.
I edited the commit message, RFE description and man pages
according to
the new behaviour.
Tomas
The patch looks good, I'm just wondering about one thing. The default
value for is_selinux_enabled() is True in ipapython/services.py.in.
So this means that any non-Red Hat/non-Fedora system, by default, is
going to assume that SELinux is enabled.
My hesitation has to when we call check_selinux_status(). It may
incorrectly error out. I suspect that the user would have to work
around this using --allow-selinux-disabled but this wouldn't make a
lot of sense since they actually do have SELinux disabled.
Yes, you're right. And the error message would not even be helpful since
it would tell the user to install policycoreutils package. This would be
the
case both with server and client installs when selinux would not be
installed
at all.
What do you think?
rob
Well we have 2 options as I see it:
1.) We can either return None as default, and add checks to
check_selinux_status, restore_context and install scripts that would
ensure that we behave properly when is_selinux_enabled() is not
implemented.
2.) We can remove the default value, since it would cause forementioned
crash and add comment that this function needs to be implemented
properly in every platform file.
I'm probably for option 2, there's no need to clutter the code with
checks
that compensate for improper platform file implementations.
Tomas
I agree with you on option 2.
rob
I updated the patch accordingly.
Tomas
>From 1d8d6b6315d109e936464aac4ee23d35bcd3d84f Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 24 Jan 2013 15:37:21 -0500
Subject: [PATCH] Add checks for SELinux in install scripts
The checks make sure that SELinux is:
- installed and enabled, otherwise the installation aborts
(on server install)
- installed and enabled OR not installed, otherwise
the warning message is displayed (on client install)
The (unsupported) option --allow-selinux-disabled has been added. It can
used to bypass the checks. Documented in man pages altered accordingly.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
---
install/tools/ipa-server-install | 11 +++
install/tools/man/ipa-server-install.1| 3 ++
ipa-client/ipa-install/ipa-client-install | 17 ++
ipa-client/man/ipa-client-install.1 | 3 ++
ipapython/platform/fedora16/__init__.py | 3 +-
ipapython/platform/fedora16/selinux.py| 3 ++
ipapython/platform/fedora18/__init__.py | 3 +-
ipapython/platform/redhat/__init__.py | 53 +--
ipapython/services.py.in | 7
9 files changed, 78 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index a289941e43acb52fc30bbf3750652f0868e92651..483665b1b3e50996f5a6db30819f57dff53db8e2 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -159,6 +159,8 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
basic_group.add_option("-U", "--unattended",
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Tomas Babej wrote: On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas I agree with you on option 2. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On Tue 19 Feb 2013 08:37:26 PM CET, Rob Crittenden wrote: Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. Yes, you're right. And the error message would not even be helpful since it would tell the user to install policycoreutils package. This would be the case both with server and client installs when selinux would not be installed at all. What do you think? rob Well we have 2 options as I see it: 1.) We can either return None as default, and add checks to check_selinux_status, restore_context and install scripts that would ensure that we behave properly when is_selinux_enabled() is not implemented. 2.) We can remove the default value, since it would cause forementioned crash and add comment that this function needs to be implemented properly in every platform file. I'm probably for option 2, there's no need to clutter the code with checks that compensate for improper platform file implementations. Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Tomas Babej wrote: On 02/04/2013 04:21 PM, Rob Crittenden wrote: Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob Sure, here is the updated patch. I edited the commit message, RFE description and man pages according to the new behaviour. Tomas The patch looks good, I'm just wondering about one thing. The default value for is_selinux_enabled() is True in ipapython/services.py.in. So this means that any non-Red Hat/non-Fedora system, by default, is going to assume that SELinux is enabled. My hesitation has to when we call check_selinux_status(). It may incorrectly error out. I suspect that the user would have to work around this using --allow-selinux-disabled but this wouldn't make a lot of sense since they actually do have SELinux disabled. What do you think? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 02/04/2013 04:21 PM, Rob Crittenden wrote:
Tomas Babej wrote:
On 01/30/2013 05:12 PM, Tomas Babej wrote:
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
I forgot to edit the man pages. Thanks Rob!
Updated patch attached.
Tomas
After a bit of off-line discussion I don't think we're quite ready yet
to require SELinux by default on client installations (even with a
flag to work around it). The feeling is this would be disruptive to
existing automation.
Can you still do the check but not enforce it, simply display a big
warning if SELinux is disabled?
rob
Sure, here is the updated patch.
I edited the commit message, RFE description and man pages according to
the new behaviour.
Tomas
>From 083080dde777f9f496ba5b923247f0e75e185974 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 24 Jan 2013 15:37:21 -0500
Subject: [PATCH] Add checks for SELinux in install scripts
The checks make sure that SELinux is:
- installed and enabled, otherwise the installation aborts
(on server install)
- installed and enabled OR not installed, otherwise
the warning message is displayed (on client install)
The (unsupported) option --allow-selinux-disabled has been added. It can
used to bypass the checks. Documented in man pages altered accordingly.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
---
install/tools/ipa-server-install | 11 +++
install/tools/man/ipa-server-install.1| 3 ++
ipa-client/ipa-install/ipa-client-install | 17 ++
ipa-client/man/ipa-client-install.1 | 3 ++
ipapython/platform/fedora16/__init__.py | 3 +-
ipapython/platform/fedora16/selinux.py| 3 ++
ipapython/platform/fedora18/__init__.py | 3 +-
ipapython/platform/redhat/__init__.py | 53 +--
ipapython/services.py.in | 7
9 files changed, 78 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..b5159e6ec14837cf9b51f740bd7f2f8a459e3c67 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -153,6 +153,8 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -639,6 +641,13 @@ def main():
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
sys.exit(1)
+is_selinux_disabled = not ipaservices.is_selinux_enabled()
+if (not options.selinux_disabled) and is_selinux_disabled:
+print("Installation with SELinux disabled is not supported. \n"
+ "Put SELinux either in permissive / enabled mode or use"
+ " --allow-selinux-disabled option.")
+sys.exit(1)
+
# This will override any settings passed in on the cmdline
if ipautil.file_exists(ANSWER_CACHE):
if options.dm_password is not None:
@@ -1126,6 +1135,8 @@ def main():
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
+if options.selinux_disabled:
+args.append("--allow-selinux-disabled")
if not options.conf_ssh:
args.append("--no-ssh")
if not options.conf_sshd:
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 75c6a78acc20e93e379ab60d5b0096a65afdd0ac..1b533d8069970d787d266bb50dd5fd5c59c504f7 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -72,6 +72,9 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
+\fB\-\-allow\-selinux\-disabled\fR
+Allow installation with SELinux disabled
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas After a bit of off-line discussion I don't think we're quite ready yet to require SELinux by default on client installations (even with a flag to work around it). The feeling is this would be disruptive to existing automation. Can you still do the check but not enforce it, simply display a big warning if SELinux is disabled? rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 01/30/2013 05:58 PM, Tomas Babej wrote: On 01/30/2013 05:12 PM, Tomas Babej wrote: Hi, The checks make sure that SELinux is: - installed and enabled (on server install) - installed and enabled OR not installed (on client install) Please note that client installs with SELinux not installed are allowed since freeipa-client package has no dependency on SELinux. (any objections to this approach?) The (unsupported) option --allow-no-selinux has been added. It can used to bypass the checks. Parts of platform-dependant code were refactored to use newly added is_selinux_enabled() function. https://fedorahosted.org/freeipa/ticket/3359 Tomas I forgot to edit the man pages. Thanks Rob! Updated patch attached. Tomas Just for the record, since this is a RFE. I updated the 3.2 minor enhacements page: http://www.freeipa.org/page/V3_Minor_Enhancements Tomas ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
On 01/30/2013 05:12 PM, Tomas Babej wrote:
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
I forgot to edit the man pages. Thanks Rob!
Updated patch attached.
Tomas
>From 2dc974ff6db11b4c39f2b24d71e9e48b66ac5541 Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 24 Jan 2013 15:37:21 -0500
Subject: [PATCH] Add checks for SELinux in install scripts
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
The (unsupported) option --allow-selinux-disabled has been added. It can
used to bypass the checks. It has been documented in man pages.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
---
install/tools/ipa-server-install | 11 +++
install/tools/man/ipa-server-install.1| 3 ++
ipa-client/ipa-install/ipa-client-install | 17 ++
ipa-client/man/ipa-client-install.1 | 3 ++
ipapython/platform/fedora16/__init__.py | 3 +-
ipapython/platform/fedora16/selinux.py| 3 ++
ipapython/platform/fedora18/__init__.py | 3 +-
ipapython/platform/redhat/__init__.py | 53 +--
ipapython/services.py.in | 7
9 files changed, 78 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..b5159e6ec14837cf9b51f740bd7f2f8a459e3c67 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -153,6 +153,8 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -639,6 +641,13 @@ def main():
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
sys.exit(1)
+is_selinux_disabled = not ipaservices.is_selinux_enabled()
+if (not options.selinux_disabled) and is_selinux_disabled:
+print("Installation with SELinux disabled is not supported. \n"
+ "Put SELinux either in permissive / enabled mode or use"
+ " --allow-selinux-disabled option.")
+sys.exit(1)
+
# This will override any settings passed in on the cmdline
if ipautil.file_exists(ANSWER_CACHE):
if options.dm_password is not None:
@@ -1126,6 +1135,8 @@ def main():
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
+if options.selinux_disabled:
+args.append("--allow-selinux-disabled")
if not options.conf_ssh:
args.append("--no-ssh")
if not options.conf_sshd:
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 75c6a78acc20e93e379ab60d5b0096a65afdd0ac..1b533d8069970d787d266bb50dd5fd5c59c504f7 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -72,6 +72,9 @@ Do not configure OpenSSH client.
\fB\-\-no\-sshd\fR
Do not configure OpenSSH server.
.TP
+\fB\-\-allow\-selinux\-disabled\fR
+Allow installation with SELinux disabled. This is unsupported. Please consider setting SELinux to permissive / enforcing mode.
+.TP
\fB\-d\fR, \fB\-\-debug\fR
Enable debug logging when more verbose output is needed
.TP
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index aa8bc79341682a6987ad47f9331e8d09205608fb..4d0a3e51e42a40779e36109af0d2ad8ae5f77a83 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -128,6 +128,8 @@ def parse_optio
[Freeipa-devel] [PATCH 0027] Add checks for SELinux in install scripts
Hi,
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
(any objections to this approach?)
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
Tomas
>From f038bb7b79d5a048e9c9ae7fd7391edabb6ac3ac Mon Sep 17 00:00:00 2001
From: Tomas Babej
Date: Thu, 24 Jan 2013 15:37:21 -0500
Subject: [PATCH] Add checks for SElinux in install scripts
The checks make sure that SELinux is:
- installed and enabled (on server install)
- installed and enabled OR not installed (on client install)
Please note that client installs with SELinux not installed are
allowed since freeipa-client package has no dependency on SELinux.
The (unsupported) option --allow-no-selinux has been added. It can
used to bypass the checks.
Parts of platform-dependant code were refactored to use newly added
is_selinux_enabled() function.
https://fedorahosted.org/freeipa/ticket/3359
---
install/tools/ipa-server-install | 11 +++
ipa-client/ipa-install/ipa-client-install | 17 ++
ipapython/platform/fedora16/__init__.py | 3 +-
ipapython/platform/fedora16/selinux.py| 3 ++
ipapython/platform/fedora18/__init__.py | 3 +-
ipapython/platform/redhat/__init__.py | 53 +--
ipapython/services.py.in | 7
7 files changed, 72 insertions(+), 25 deletions(-)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 15591071b0983511394a2cba3d829e1b84fe328e..b5159e6ec14837cf9b51f740bd7f2f8a459e3c67 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -153,6 +153,8 @@ def parse_options():
help="do not configure OpenSSH client")
basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
help="do not configure OpenSSH server")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
default=False, help="print debugging information")
basic_group.add_option("-U", "--unattended", dest="unattended", action="store_true",
@@ -639,6 +641,13 @@ def main():
print "CA is not installed yet. To install with an external CA is a two-stage process.\nFirst run the installer with --external-ca."
sys.exit(1)
+is_selinux_disabled = not ipaservices.is_selinux_enabled()
+if (not options.selinux_disabled) and is_selinux_disabled:
+print("Installation with SELinux disabled is not supported. \n"
+ "Put SELinux either in permissive / enabled mode or use"
+ " --allow-selinux-disabled option.")
+sys.exit(1)
+
# This will override any settings passed in on the cmdline
if ipautil.file_exists(ANSWER_CACHE):
if options.dm_password is not None:
@@ -1126,6 +1135,8 @@ def main():
args.append("--no-dns-sshfp")
if options.trust_sshfp:
args.append("--ssh-trust-dns")
+if options.selinux_disabled:
+args.append("--allow-selinux-disabled")
if not options.conf_ssh:
args.append("--no-ssh")
if not options.conf_sshd:
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index aa8bc79341682a6987ad47f9331e8d09205608fb..4d0a3e51e42a40779e36109af0d2ad8ae5f77a83 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -128,6 +128,8 @@ def parse_options():
help="do not automatically create DNS SSHFP records")
basic_group.add_option("--noac", dest="no_ac", default=False, action="store_true",
help="do not use Authconfig to modify the nsswitch.conf and PAM configuration")
+basic_group.add_option("--allow-selinux-disabled", dest="selinux_disabled", action="store_true",
+ default=False, help="allow installation with SELinux disabled (not supported)")
basic_group.add_option("-f", "--force", dest="force", action="store_true",
default=False, help="force setting of LDAP/Kerberos conf")
basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -2318,7 +2320,9 @@ def main():
if not os.getegid() == 0:
sys.exit("\nYou must be root to run ipa-client-install.\n")
+
ipaservices.check_selinux_status()
+
logging_s
