Move the dogtag SELinux rules loading into the spec file

I couldn't put the dogtag rules into the spec file until we required dogtag as a component. If it wasn't pre-loaded them the rules loading would fail because types would be missing.
2025-02-25 18:55:28 -06:00 · 2010-05-20 11:54:41 -04:00
parent 10ae6912e6
commit 4ae483600f
3 changed files with 8 additions and 27 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -469,7 +469,6 @@ class CAInstance(service.Service):
                self.step("adding RA agent as a trusted user", self.__configure_ra)
            self.step("fixing RA database permissions", self.fix_ra_perms)
            self.step("setting up signing cert profile", self.__setup_sign_profile)
-            self.step("install SELinux policy", self.__setup_selinux)
            self.step("set up CRL publishing", self.__enable_crl_publish)
            self.step("configuring certificate server to start on boot", self.__enable)
            self.step("restarting certificate server", self.__restart_instance)
@@ -1006,24 +1005,6 @@ class CAInstance(service.Service):

        ipautil.run(["/sbin/restorecon", publishdir])

-    def __setup_selinux(self):
-        """
-        This policy should probably be defined by dogtag but it grants
-        dogtag the ability to read/write cert_t files for CRL publishing.
-        """
-
-        # Start by checking to see if policy is already installed.
-        (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/semodule", "-l"])
-
-        # Ok, so stdout is a huge string of the output. Look through that
-        # for our policy
-        policy = stdout.find('ipa_dogtag')
-        if policy >= 0:
-            # Already loaded
-            return
-
-        ipautil.run(["/usr/sbin/semodule", "-i", "/usr/share/selinux/targeted/ipa_dogtag.pp"])
-
    def set_subject_in_config(self, suffix):
        # dogtag ships with an IPA-specific profile that forces a subject
        # format. We need to update that template with our base subject
@@ -1046,11 +1027,6 @@ class CAInstance(service.Service):
        except ipautil.CalledProcessError, e:
            logging.critical("failed to uninstall CA instance %s" % e)

-        try:
-            ipautil.run(["/usr/sbin/semodule", "-r", "ipa_dogtag"])
-        except ipautil.CalledProcessError, e:
-            pass
-
        pki_user = self.restore_state("user")
        user_exists = self.restore_state("user_exists")
        if not pki_user is None and not user_exists is None and not user_exists: