summaryrefslogtreecommitdiffstats
path: root/ipaserver/install
diff options
context:
space:
mode:
Diffstat (limited to 'ipaserver/install')
-rw-r--r--ipaserver/install/adtrustinstance.py62
-rw-r--r--ipaserver/install/httpinstance.py90
2 files changed, 35 insertions, 117 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 38b080131..4ba14d4a4 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -36,23 +36,17 @@ from ipalib.util import normalize_zone
from ipapython.dn import DN
from ipapython import sysrestore
from ipapython import ipautil
-from ipapython.ipa_log_manager import *
+from ipapython.ipa_log_manager import root_logger
+import ipapython.errors
import ipaclient.ipachangeconf
from ipaplatform import services
from ipaplatform.paths import paths
+from ipaplatform.tasks import tasks
ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits
-SELINUX_WARNING = """
-WARNING: could not set selinux boolean(s) %(var)s to true. The adtrust
-service may not function correctly until this boolean is successfully
-change with the command:
- /usr/sbin/setsebool -P %(var)s true
-Try updating the policycoreutils and selinux-policy packages.
-"""
-
UPGRADE_ERROR = """
Entry %(dn)s does not exist.
This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy
@@ -60,6 +54,9 @@ configuration was not set up properly. Please run ipa-ldap-updater manually
and re-run ipa-adtrust-instal again afterwards.
"""
+SELINUX_BOOLEAN_SETTINGS = {'samba_portmapper': 'on'}
+
+
def check_inst():
for smbfile in [paths.SMBD, paths.NET]:
if not os.path.exists(smbfile):
@@ -148,7 +145,6 @@ class ADTRUSTInstance(service.Service):
# Constants
self.smb_conf = paths.SMB_CONF
self.samba_keytab = paths.SAMBA_KEYTAB
- self.selinux_booleans = ["samba_portmapper"]
self.cifs_hosts = []
# Values obtained from API.env
@@ -611,35 +607,11 @@ class ADTRUSTInstance(service.Service):
add_rr(zone, win_srv, "SRV", rec)
def __configure_selinux_for_smbd(self):
- selinux = False
try:
- if (os.path.exists(paths.SELINUXENABLED)):
- ipautil.run([paths.SELINUXENABLED])
- selinux = True
- except ipautil.CalledProcessError:
- # selinuxenabled returns 1 if not enabled
- pass
-
- if selinux:
- # Don't assume all booleans are available
- sebools = []
- for var in self.selinux_booleans:
- try:
- (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, var])
- if stdout and not stderr and returncode == 0:
- self.backup_state(var, stdout.split()[2])
- sebools.append(var)
- except:
- pass
-
- if sebools:
- bools = [var + "=true" for var in sebools]
- args = [paths.SETSEBOOL, "-P"]
- args.extend(bools);
- try:
- ipautil.run(args)
- except:
- self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools)))
+ tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS,
+ self.backup_state)
+ except ipapython.errors.SetseboolError as e:
+ self.print_msg(e.format_service_warning('adtrust service'))
def __mod_krb5_conf(self):
"""
@@ -909,14 +881,12 @@ class ADTRUSTInstance(service.Service):
# we should not restore smb.conf
# Restore the state of affected selinux booleans
- for var in self.selinux_booleans:
- sebool_state = self.restore_state(var)
- if not sebool_state is None:
- try:
- ipautil.run([paths.SETSEBOOL,
- "-P", var, sebool_state])
- except Exception:
- self.print_msg(SELINUX_WARNING % dict(var=var))
+ boolean_states = {name: self.restore_state(name)
+ for name in SELINUX_BOOLEAN_SETTINGS}
+ try:
+ tasks.set_selinux_booleans(boolean_states)
+ except ipapython.errors.SetseboolError as e:
+ self.print_msg('WARNING: ' + str(e))
# Remove samba's credentials cache
krb5cc_samba = paths.KRB5CC_SAMBA
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 329dbb076..367c536b9 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -22,7 +22,6 @@ import os.path
import tempfile
import pwd
import shutil
-import stat
import re
import service
@@ -31,12 +30,18 @@ import installutils
from ipapython import sysrestore
from ipapython import ipautil
from ipapython import dogtag
-from ipapython.ipa_log_manager import *
+from ipapython.ipa_log_manager import root_logger
+import ipapython.errors
from ipaserver.install import sysupgrade
from ipalib import api
from ipaplatform.tasks import tasks
from ipaplatform.paths import paths
-from ipalib.constants import CACERT
+
+
+SELINUX_BOOLEAN_SETTINGS = dict(
+ httpd_can_network_connect='on',
+ httpd_manage_ipa='on',
+)
def httpd_443_configured():
@@ -135,67 +140,11 @@ class HTTPInstance(service.Service):
self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix)
def configure_selinux_for_httpd(self):
- def get_setsebool_args(changes):
- if len(changes) == 1:
- # workaround https://bugzilla.redhat.com/show_bug.cgi?id=825163
- updates = changes.items()[0]
- else:
- updates = ["%s=%s" % update for update in changes.iteritems()]
-
- args = [paths.SETSEBOOL, "-P"]
- args.extend(updates)
-
- return args
-
- selinux = False
try:
- if (os.path.exists(paths.SELINUXENABLED)):
- ipautil.run([paths.SELINUXENABLED])
- selinux = True
- except ipautil.CalledProcessError:
- # selinuxenabled returns 1 if not enabled
- pass
-
- if selinux:
- # Don't assume all vars are available
- updated_vars = {}
- failed_vars = {}
- required_settings = (("httpd_can_network_connect", "on"),
- ("httpd_manage_ipa", "on"))
- for setting, state in required_settings:
- try:
- (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, setting])
- original_state = stdout.split()[2]
- self.backup_state(setting, original_state)
-
- if original_state != state:
- updated_vars[setting] = state
- except ipautil.CalledProcessError, e:
- root_logger.debug("Cannot get SELinux boolean '%s': %s", setting, e)
- failed_vars[setting] = state
-
- # Allow apache to connect to the dogtag UI and the session cache
- # This can still fail even if selinux is enabled. Execute these
- # together so it is speedier.
- if updated_vars:
- args = get_setsebool_args(updated_vars)
- try:
- ipautil.run(args)
- except ipautil.CalledProcessError:
- failed_vars.update(updated_vars)
-
- if failed_vars:
- args = get_setsebool_args(failed_vars)
- names = [update[0] for update in updated_vars]
- message = ['WARNING: could not set the following SELinux boolean(s):']
- for update in failed_vars.iteritems():
- message.append(' %s -> %s' % update)
- message.append('The web interface may not function correctly until the booleans')
- message.append('are successfully changed with the command:')
- message.append(' '.join(args))
- message.append('Try updating the policycoreutils and selinux-policy packages.')
-
- self.print_msg("\n".join(message))
+ tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS,
+ self.backup_state)
+ except ipapython.errors.SetseboolError as e:
+ self.print_msg(e.format_service_warning('web interface'))
def __create_http_keytab(self):
installutils.kadmin_addprinc(self.principal)
@@ -412,14 +361,13 @@ class HTTPInstance(service.Service):
installutils.remove_file(paths.HTTPD_IPA_CONF)
installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
- for var in ["httpd_can_network_connect", "httpd_manage_ipa"]:
- sebool_state = self.restore_state(var)
- if not sebool_state is None:
- try:
- ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state])
- except ipautil.CalledProcessError, e:
- self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \
- % (var, sebool_state, e))
+ # Restore SELinux boolean states
+ boolean_states = {name: self.restore_state(name)
+ for name in SELINUX_BOOLEAN_SETTINGS}
+ try:
+ tasks.set_selinux_booleans(boolean_states)
+ except ipapython.errors.SetseboolError as e:
+ self.print_msg('WARNING: ' + str(e))
if not running is None and running:
self.start()
generated by cgit (git 2.34.1) at 2024-09-21 11:41:58 +0000