ipa-restore: Set SELinux booleans when restoring

https://fedorahosted.org/freeipa/ticket/4157

Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>

ipaserver/install/ipa_restore.py

@@ -36,7 +36,10 @@ from ipaserver.install.cainstance import PKI_USER, create_ca_user
 from ipaserver.install.replication import (wait_for_task, ReplicationManager,
                                            get_cs_replication_manager)
 from ipaserver.install import installutils
+from ipaserver.install import httpinstance
+from ipaserver.install import adtrustinstance
 from ipapython import ipaldap
+import ipapython.errors
 from ipaplatform.tasks import tasks
 from ipaserver.install.ipa_backup import BACKUP_DIR
 from ipaplatform import services
@@ -262,6 +265,8 @@ class Restore(admintool.AdminTool):
                 if rc not in [0, 6]:
                     self.log.warn('Stopping IPA failed: %s' % stderr)
 
+                self.restore_selinux_booleans()
+
 
             # We do either a full file restore or we restore data.
             if self.backup_type == 'FULL' and not options.data_only:
@@ -637,3 +642,12 @@ class Restore(admintool.AdminTool):
             except Exception, e:
                 # This isn't so fatal as to side-track the restore
                 self.log.error('Problem with %s: %s' % (dir, e))
+
+    def restore_selinux_booleans(self):
+        bools = dict(httpinstance.SELINUX_BOOLEAN_SETTINGS)
+        if 'ADTRUST' in self.backup_services:
+            bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS)
+        try:
+            tasks.set_selinux_booleans(bools)
+        except ipapython.errors.SetseboolError as e:
+            self.log.error('%s', e)

ipatests/test_integration/test_backup_and_restore.py

@@ -146,3 +146,32 @@ class TestBackupAndRestore(IntegrationTest):
                                         stdin_text=dirman_password + '\nyes')
             finally:
                 self.master.run_command(['userdel', 'ipatest_user1'])
+
+    def test_full_backup_and_restore_with_selinux_booleans_off(self):
+        """regression test for https://fedorahosted.org/freeipa/ticket/4157"""
+        with restore_checker(self.master):
+            backup_path = backup(self.master)
+
+            self.log.info('Backup path for %s is %s', self.master, backup_path)
+
+            self.master.run_command(['ipa-server-install',
+                                     '--uninstall',
+                                     '-U'])
+
+            self.master.run_command([
+                'setsebool', '-P',
+                'httpd_can_network_connect=off',
+                'httpd_manage_ipa=off',
+            ])
+
+            dirman_password = self.master.config.dirman_password
+            self.master.run_command(['ipa-restore', backup_path],
+                                    stdin_text=dirman_password + '\nyes')
+
+        result = self.master.run_command([
+            'getsebool',
+            'httpd_can_network_connect',
+            'httpd_manage_ipa',
+        ])
+        assert 'httpd_can_network_connect --> on' in result.stdout_text
+        assert 'httpd_manage_ipa --> on' in result.stdout_text