IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Set SELinux boolean httpd_manage_ipa so ipa_memcached will work.

Browse Source 
This is being done in the HTTP instance so we can set both
booleans in one step and save a bit of time (it is still slow).

https://fedorahosted.org/freeipa/ticket/2432
This commit is contained in:
Rob Crittenden 2012-03-07 09:29:52 -05:00
parent 4385816dbb
commit 0425d09fac
1 changed files with 32 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
ipaserver/install/httpinstance.py
View File

@ -37,10 +37,11 @@ HTTPD_DIR = "/etc/httpd"
SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf" SSL_CONF = HTTPD_DIR + "/conf.d/ssl.conf"
NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf" NSS_CONF = HTTPD_DIR + "/conf.d/nss.conf"
selinux_warning = """WARNING: could not set selinux boolean httpd_can_network_connect to true. selinux_warning = """
The web interface may not function correctly until this boolean is WARNING: could not set selinux boolean(s) %(var)s to true. The web
successfully change with the command: interface may not function correctly until this boolean is successfully
/usr/sbin/setsebool -P httpd_can_network_connect true change with the command:
/usr/sbin/setsebool -P %(var)s true
Try updating the policycoreutils and selinux-policy packages. Try updating the policycoreutils and selinux-policy packages.
""" """
@ -103,30 +104,35 @@ class HTTPInstance(service.Service):
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
def __selinux_config(self): def __selinux_config(self):
selinux=0 selinux = False
try: try:
if (os.path.exists('/usr/sbin/selinuxenabled')): if (os.path.exists('/usr/sbin/selinuxenabled')):
ipautil.run(["/usr/sbin/selinuxenabled"]) ipautil.run(["/usr/sbin/selinuxenabled"])
selinux=1 selinux = True
except ipautil.CalledProcessError: except ipautil.CalledProcessError:
# selinuxenabled returns 1 if not enabled # selinuxenabled returns 1 if not enabled
pass pass
if selinux: if selinux:
try: # Don't assume all vars are available
# returns e.g. "httpd_can_network_connect --> off" vars = []
(stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
"httpd_can_network_connect"]) try:
self.backup_state("httpd_can_network_connect", stdout.split()[2]) (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var])
except: self.backup_state(var, stdout.split()[2])
pass vars.append(var)
except:
pass
# Allow apache to connect to the turbogears web gui # Allow apache to connect to the dogtag UI and the session cache
# This can still fail even if selinux is enabled # This can still fail even if selinux is enabled. Execute these
try: # together so it is speedier.
ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"]) if vars:
except: bools = [var + "=true" for var in vars]
self.print_msg(selinux_warning) try:
ipautil.run(["/usr/sbin/setsebool", "-P", ' '.join(bools)])
except:
self.print_msg(selinux_warning % dict(var=','.join(vars)))
def __create_http_keytab(self): def __create_http_keytab(self):
installutils.kadmin_addprinc(self.principal) installutils.kadmin_addprinc(self.principal)
@ -293,12 +299,13 @@ class HTTPInstance(service.Service):
installutils.remove_file("/etc/httpd/conf.d/ipa.conf") installutils.remove_file("/etc/httpd/conf.d/ipa.conf")
installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf") installutils.remove_file("/etc/httpd/conf.d/ipa-pki-proxy.conf")
sebool_state = self.restore_state("httpd_can_network_connect") for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
if not sebool_state is None: sebool_state = self.restore_state(var)
try: if not sebool_state is None:
ipautil.run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", sebool_state]) try:
except: ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state])
self.print_msg(selinux_warning) except:
self.print_msg(selinux_warning % dict(var=var))
if not running is None and running: if not running is None and running:
self.start() self.start()