diff options
| author | sbose <sbose@ipa17-devel.ipa17.devel> | 2012-05-30 11:54:01 +0200 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-06-07 09:39:11 +0200 |
| commit | e6d638b6cf6d5693e1b312a41b44d4adbff0634c (patch) | |
| tree | 9aa65c3354da0276b0f50060a94b1cb44807fef8 | |
| parent | 27c24ff7be45405ee67326da54b7d0ef6bdd6438 (diff) | |
| download | freeipa-e6d638b6cf6d5693e1b312a41b44d4adbff0634c.tar.gz freeipa-e6d638b6cf6d5693e1b312a41b44d4adbff0634c.tar.xz freeipa-e6d638b6cf6d5693e1b312a41b44d4adbff0634c.zip | |
Set samba_portmapper SELinux boolean during ipa-adtrust-install
| -rw-r--r-- | ipaserver/install/adtrustinstance.py | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index fffa062cd..5f7405431 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -39,6 +39,14 @@ import struct ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits +SELINUX_WARNING = """ +WARNING: could not set selinux boolean(s) %(var)s to true. The adtrust +service may not function correctly until this boolean is successfully +change with the command: + /usr/sbin/setsebool -P %(var)s true +Try updating the policycoreutils and selinux-policy packages. +""" + def check_inst(): for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']: if not os.path.exists(smbfile): @@ -105,6 +113,7 @@ class ADTRUSTInstance(service.Service): self.sub_dict = None self.cifs_principal = None self.cifs_agent = None + self.selinux_booleans = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -311,6 +320,37 @@ class ADTRUSTInstance(service.Service): for rec in ipa_rdata: add_rr(zone, win_srv, "SRV", rec) + def __configure_selinux_for_smbd(self): + selinux = False + try: + if (os.path.exists('/usr/sbin/selinuxenabled')): + ipautil.run(["/usr/sbin/selinuxenabled"]) + selinux = True + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled + pass + + if selinux: + # Don't assume all booleans are available + sebools = [] + for var in self.selinux_booleans: + try: + (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var]) + if stdout and not stderr and returncode == 0: + self.backup_state(var, stdout.split()[2]) + sebools.append(var) + except: + pass + + if sebools: + bools = [var + "=true" for var in sebools] + args = ["/usr/sbin/setsebool", "-P"] + args.extend(bools); + try: + ipautil.run(args) + except: + self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools))) + def __start(self): try: self.start() @@ -373,6 +413,7 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name self.cifs_agent = "krbprincipalname=%s,cn=services,cn=accounts,%s" % \ (self.cifs_principal.lower(), self.suffix) + self.selinux_booleans = ["samba_portmapper"] self.__setup_sub_dict() @@ -395,6 +436,8 @@ class ADTRUSTInstance(service.Service): self.__add_dns_service_records) self.step("restarting KDC to take MS PAC changes into account", \ self.__restart_kdc) + self.step("setting SELinux booleans", \ + self.__configure_selinux_for_smbd) self.step("starting smbd", self.__start) self.start_creation("Configuring smbd:") @@ -418,6 +461,14 @@ class ADTRUSTInstance(service.Service): root_logger.debug(error) pass + for var in self.selinux_booleans: + sebool_state = self.restore_state(var) + if not sebool_state is None: + try: + ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) + except: + self.print_msg(SELINUX_WARNING % dict(var=var)) + if not enabled is None and not enabled: self.disable() |