diff options
Diffstat (limited to 'ipaserver/install/httpinstance.py')
-rw-r--r-- | ipaserver/install/httpinstance.py | 90 |
1 files changed, 19 insertions, 71 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 329dbb076..367c536b9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -22,7 +22,6 @@ import os.path import tempfile import pwd import shutil -import stat import re import service @@ -31,12 +30,18 @@ import installutils from ipapython import sysrestore from ipapython import ipautil from ipapython import dogtag -from ipapython.ipa_log_manager import * +from ipapython.ipa_log_manager import root_logger +import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api from ipaplatform.tasks import tasks from ipaplatform.paths import paths -from ipalib.constants import CACERT + + +SELINUX_BOOLEAN_SETTINGS = dict( + httpd_can_network_connect='on', + httpd_manage_ipa='on', +) def httpd_443_configured(): @@ -135,67 +140,11 @@ class HTTPInstance(service.Service): self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) def configure_selinux_for_httpd(self): - def get_setsebool_args(changes): - if len(changes) == 1: - # workaround https://bugzilla.redhat.com/show_bug.cgi?id=825163 - updates = changes.items()[0] - else: - updates = ["%s=%s" % update for update in changes.iteritems()] - - args = [paths.SETSEBOOL, "-P"] - args.extend(updates) - - return args - - selinux = False try: - if (os.path.exists(paths.SELINUXENABLED)): - ipautil.run([paths.SELINUXENABLED]) - selinux = True - except ipautil.CalledProcessError: - # selinuxenabled returns 1 if not enabled - pass - - if selinux: - # Don't assume all vars are available - updated_vars = {} - failed_vars = {} - required_settings = (("httpd_can_network_connect", "on"), - ("httpd_manage_ipa", "on")) - for setting, state in required_settings: - try: - (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, setting]) - original_state = stdout.split()[2] - self.backup_state(setting, original_state) - - if original_state != state: - updated_vars[setting] = state - except ipautil.CalledProcessError, e: - root_logger.debug("Cannot get SELinux boolean '%s': %s", setting, e) - failed_vars[setting] = state - - # Allow apache to connect to the dogtag UI and the session cache - # This can still fail even if selinux is enabled. Execute these - # together so it is speedier. - if updated_vars: - args = get_setsebool_args(updated_vars) - try: - ipautil.run(args) - except ipautil.CalledProcessError: - failed_vars.update(updated_vars) - - if failed_vars: - args = get_setsebool_args(failed_vars) - names = [update[0] for update in updated_vars] - message = ['WARNING: could not set the following SELinux boolean(s):'] - for update in failed_vars.iteritems(): - message.append(' %s -> %s' % update) - message.append('The web interface may not function correctly until the booleans') - message.append('are successfully changed with the command:') - message.append(' '.join(args)) - message.append('Try updating the policycoreutils and selinux-policy packages.') - - self.print_msg("\n".join(message)) + tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, + self.backup_state) + except ipapython.errors.SetseboolError as e: + self.print_msg(e.format_service_warning('web interface')) def __create_http_keytab(self): installutils.kadmin_addprinc(self.principal) @@ -412,14 +361,13 @@ class HTTPInstance(service.Service): installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) - for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: - sebool_state = self.restore_state(var) - if not sebool_state is None: - try: - ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state]) - except ipautil.CalledProcessError, e: - self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ - % (var, sebool_state, e)) + # Restore SELinux boolean states + boolean_states = {name: self.restore_state(name) + for name in SELINUX_BOOLEAN_SETTINGS} + try: + tasks.set_selinux_booleans(boolean_states) + except ipapython.errors.SetseboolError as e: + self.print_msg('WARNING: ' + str(e)) if not running is None and running: self.start() |