diff options
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/adtrustinstance.py | 62 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 90 |
2 files changed, 35 insertions, 117 deletions
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index 38b080131..4ba14d4a4 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -36,23 +36,17 @@ from ipalib.util import normalize_zone from ipapython.dn import DN from ipapython import sysrestore from ipapython import ipautil -from ipapython.ipa_log_manager import * +from ipapython.ipa_log_manager import root_logger +import ipapython.errors import ipaclient.ipachangeconf from ipaplatform import services from ipaplatform.paths import paths +from ipaplatform.tasks import tasks ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits -SELINUX_WARNING = """ -WARNING: could not set selinux boolean(s) %(var)s to true. The adtrust -service may not function correctly until this boolean is successfully -change with the command: - /usr/sbin/setsebool -P %(var)s true -Try updating the policycoreutils and selinux-policy packages. -""" - UPGRADE_ERROR = """ Entry %(dn)s does not exist. This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy @@ -60,6 +54,9 @@ configuration was not set up properly. Please run ipa-ldap-updater manually and re-run ipa-adtrust-instal again afterwards. """ +SELINUX_BOOLEAN_SETTINGS = {'samba_portmapper': 'on'} + + def check_inst(): for smbfile in [paths.SMBD, paths.NET]: if not os.path.exists(smbfile): @@ -148,7 +145,6 @@ class ADTRUSTInstance(service.Service): # Constants self.smb_conf = paths.SMB_CONF self.samba_keytab = paths.SAMBA_KEYTAB - self.selinux_booleans = ["samba_portmapper"] self.cifs_hosts = [] # Values obtained from API.env @@ -611,35 +607,11 @@ class ADTRUSTInstance(service.Service): add_rr(zone, win_srv, "SRV", rec) def __configure_selinux_for_smbd(self): - selinux = False try: - if (os.path.exists(paths.SELINUXENABLED)): - ipautil.run([paths.SELINUXENABLED]) - selinux = True - except ipautil.CalledProcessError: - # selinuxenabled returns 1 if not enabled - pass - - if selinux: - # Don't assume all booleans are available - sebools = [] - for var in self.selinux_booleans: - try: - (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, var]) - if stdout and not stderr and returncode == 0: - self.backup_state(var, stdout.split()[2]) - sebools.append(var) - except: - pass - - if sebools: - bools = [var + "=true" for var in sebools] - args = [paths.SETSEBOOL, "-P"] - args.extend(bools); - try: - ipautil.run(args) - except: - self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools))) + tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, + self.backup_state) + except ipapython.errors.SetseboolError as e: + self.print_msg(e.format_service_warning('adtrust service')) def __mod_krb5_conf(self): """ @@ -909,14 +881,12 @@ class ADTRUSTInstance(service.Service): # we should not restore smb.conf # Restore the state of affected selinux booleans - for var in self.selinux_booleans: - sebool_state = self.restore_state(var) - if not sebool_state is None: - try: - ipautil.run([paths.SETSEBOOL, - "-P", var, sebool_state]) - except Exception: - self.print_msg(SELINUX_WARNING % dict(var=var)) + boolean_states = {name: self.restore_state(name) + for name in SELINUX_BOOLEAN_SETTINGS} + try: + tasks.set_selinux_booleans(boolean_states) + except ipapython.errors.SetseboolError as e: + self.print_msg('WARNING: ' + str(e)) # Remove samba's credentials cache krb5cc_samba = paths.KRB5CC_SAMBA diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 329dbb076..367c536b9 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -22,7 +22,6 @@ import os.path import tempfile import pwd import shutil -import stat import re import service @@ -31,12 +30,18 @@ import installutils from ipapython import sysrestore from ipapython import ipautil from ipapython import dogtag -from ipapython.ipa_log_manager import * +from ipapython.ipa_log_manager import root_logger +import ipapython.errors from ipaserver.install import sysupgrade from ipalib import api from ipaplatform.tasks import tasks from ipaplatform.paths import paths -from ipalib.constants import CACERT + + +SELINUX_BOOLEAN_SETTINGS = dict( + httpd_can_network_connect='on', + httpd_manage_ipa='on', +) def httpd_443_configured(): @@ -135,67 +140,11 @@ class HTTPInstance(service.Service): self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) def configure_selinux_for_httpd(self): - def get_setsebool_args(changes): - if len(changes) == 1: - # workaround https://bugzilla.redhat.com/show_bug.cgi?id=825163 - updates = changes.items()[0] - else: - updates = ["%s=%s" % update for update in changes.iteritems()] - - args = [paths.SETSEBOOL, "-P"] - args.extend(updates) - - return args - - selinux = False try: - if (os.path.exists(paths.SELINUXENABLED)): - ipautil.run([paths.SELINUXENABLED]) - selinux = True - except ipautil.CalledProcessError: - # selinuxenabled returns 1 if not enabled - pass - - if selinux: - # Don't assume all vars are available - updated_vars = {} - failed_vars = {} - required_settings = (("httpd_can_network_connect", "on"), - ("httpd_manage_ipa", "on")) - for setting, state in required_settings: - try: - (stdout, stderr, returncode) = ipautil.run([paths.GETSEBOOL, setting]) - original_state = stdout.split()[2] - self.backup_state(setting, original_state) - - if original_state != state: - updated_vars[setting] = state - except ipautil.CalledProcessError, e: - root_logger.debug("Cannot get SELinux boolean '%s': %s", setting, e) - failed_vars[setting] = state - - # Allow apache to connect to the dogtag UI and the session cache - # This can still fail even if selinux is enabled. Execute these - # together so it is speedier. - if updated_vars: - args = get_setsebool_args(updated_vars) - try: - ipautil.run(args) - except ipautil.CalledProcessError: - failed_vars.update(updated_vars) - - if failed_vars: - args = get_setsebool_args(failed_vars) - names = [update[0] for update in updated_vars] - message = ['WARNING: could not set the following SELinux boolean(s):'] - for update in failed_vars.iteritems(): - message.append(' %s -> %s' % update) - message.append('The web interface may not function correctly until the booleans') - message.append('are successfully changed with the command:') - message.append(' '.join(args)) - message.append('Try updating the policycoreutils and selinux-policy packages.') - - self.print_msg("\n".join(message)) + tasks.set_selinux_booleans(SELINUX_BOOLEAN_SETTINGS, + self.backup_state) + except ipapython.errors.SetseboolError as e: + self.print_msg(e.format_service_warning('web interface')) def __create_http_keytab(self): installutils.kadmin_addprinc(self.principal) @@ -412,14 +361,13 @@ class HTTPInstance(service.Service): installutils.remove_file(paths.HTTPD_IPA_CONF) installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF) - for var in ["httpd_can_network_connect", "httpd_manage_ipa"]: - sebool_state = self.restore_state(var) - if not sebool_state is None: - try: - ipautil.run([paths.SETSEBOOL, "-P", var, sebool_state]) - except ipautil.CalledProcessError, e: - self.print_msg("Cannot restore SELinux boolean '%s' back to '%s': %s" \ - % (var, sebool_state, e)) + # Restore SELinux boolean states + boolean_states = {name: self.restore_state(name) + for name in SELINUX_BOOLEAN_SETTINGS} + try: + tasks.set_selinux_booleans(boolean_states) + except ipapython.errors.SetseboolError as e: + self.print_msg('WARNING: ' + str(e)) if not running is None and running: self.start() |