Configure SELinux for httpd during upgrades

SELinux configuration for httpd instance was set for new installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x upgrade) missed the configuration. This lead to AVCs when httpd tries to contact ipa_memcached and user not being able to log in. This patch updates ipa-upgradeconfig to configure SELinux in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2603
2025-02-25 18:55:28 -06:00 · 2012-04-03 10:47:40 +02:00 · 2012-04-03 10:47:40 +02:00 · 17a0738d2d
commit 17a0738d2d
parent 8a7d7aaf81
2 changed files with 18 additions and 10 deletions
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@ -163,7 +163,7 @@ def check_certs():
            print "Missing Certification Authority file."
            print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt"

-def upgrade_pki():
+def upgrade_pki(fstore):
    """
    Update/add the dogtag proxy configuration. The IPA side of this is
    handled in ipa-pki-proxy.conf.
@ -173,7 +173,6 @@ def upgrade_pki():
    if not os.path.exists('/etc/pki-ca/CS.cfg'):
        return

-    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
    http = httpinstance.HTTPInstance(fstore)
    http.enable_mod_nss_renegotiate()
    if not installutils.get_directive('/etc/pki-ca/CS.cfg',
@ -222,13 +221,11 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"):
    fd.write("".join(newfile))
    fd.close()

-def cleanup_kdc():
+def cleanup_kdc(fstore):
    """
    Clean up old KDC files if they exist. We need to remove the actual
    file and any references in the uninstall configuration.
    """
-    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
-
    for file in ['kpasswd.keytab', 'ldappwd']:
        filename = '/var/kerberos/krb5kdc/%s' % file
        installutils.remove_file(filename)
@ -244,6 +241,14 @@ def upgrade_ipa_profile(realm):
        if ca.enable_subject_key_identifier():
            ca.restart()

+def upgrade_httpd_selinux(fstore):
+    """
+    Update SElinux configuration for httpd instance in the same way as the
+    new server installation does.
+    """
+    http = httpinstance.HTTPInstance(fstore)
+    http.configure_selinux_for_httpd()
+
 def main():
    """
    Get some basics about the system. If getting those basics fail then
@ -254,6 +259,8 @@ def main():
    if not os.geteuid()==0:
        sys.exit("\nYou must be root to run this script.\n")

+    fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
+
    try:
        krbctx = krbV.default_context()
    except krbV.Krb5Error, e:
@ -274,12 +281,13 @@ def main():
    upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf")
    upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf")
    upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True)
-    upgrade_pki()
+    upgrade_pki(fstore)
    update_dbmodules(krbctx.default_realm)
    uninstall_ipa_kpasswd()

-    http = httpinstance.HTTPInstance()
+    http = httpinstance.HTTPInstance(fstore)
    http.remove_httpd_ccache()
+    http.configure_selinux_for_httpd()

    memcache = memcacheinstance.MemcacheInstance()
    memcache.ldapi = True
@ -294,7 +302,7 @@ def main():
    except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry):
        pass

-    cleanup_kdc()
+    cleanup_kdc(fstore)
    upgrade_ipa_profile(krbctx.default_realm)

 try:
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@ -86,7 +86,7 @@ class HTTPInstance(service.Service):
        self.step("publish CA cert", self.__publish_ca_cert)
        self.step("creating a keytab for httpd", self.__create_http_keytab)
        self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
-        self.step("configuring SELinux for httpd", self.__selinux_config)
+        self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
        self.step("restarting httpd", self.__start)
        self.step("configuring httpd to start on boot", self.__enable)

@ -103,7 +103,7 @@ class HTTPInstance(service.Service):
        # components as found in our LDAP configuration tree
        self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)

-    def __selinux_config(self):
+    def configure_selinux_for_httpd(self):
        selinux = False
        try:
            if (os.path.exists('/usr/sbin/selinuxenabled')):