diff options
Diffstat (limited to 'ldap/admin/src/scripts')
| -rw-r--r-- | ldap/admin/src/scripts/DSCreate.pm.in | 62 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/DSMigration.pm.in | 3 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/Util.pm.in | 49 | ||||
| -rw-r--r-- | ldap/admin/src/scripts/setup-ds.res.in | 1 |
4 files changed, 111 insertions, 4 deletions
diff --git a/ldap/admin/src/scripts/DSCreate.pm.in b/ldap/admin/src/scripts/DSCreate.pm.in index d33f13af..15302b9c 100644 --- a/ldap/admin/src/scripts/DSCreate.pm.in +++ b/ldap/admin/src/scripts/DSCreate.pm.in @@ -888,6 +888,41 @@ sub setDefaults { return (); } +sub updateSelinuxPolicy { + my $inf = shift; + + # if selinux is not available, do nothing + if ("@with_selinux@") { + # run restorecon on all directories we created + for (qw(inst_dir config_dir schema_dir log_dir lock_dir run_dir tmp_dir + cert_dir db_dir ldif_dir bak_dir)) { + my $dir = $inf->{slapd}->{$_}; + system("restorecon -R $dir"); + } + + # label the selected port as ldap_port_t + if ($inf->{slapd}->{ServerPort} != 0) { + my $need_label = 1; + + # check if the port is already labeled properly + my $portline = `semanage port -l | grep ldap_port_t | grep tcp`; + chomp($portline); + $portline =~ s/ldap_port_t\s+tcp\s+//g; + my @labeledports = split(/,\s+/, $portline); + foreach my $labeledport (@labeledports) { + if ($inf->{slapd}->{ServerPort} == $labeledport) { + $need_label = 0; + last; + } + } + + if ($need_label == 1) { + system("semanage port -a -t ldap_port_t -p tcp $inf->{slapd}->{ServerPort}"); + } + } + } +} + sub createDSInstance { my $inf = shift; my @errs; @@ -924,6 +959,8 @@ sub createDSInstance { return @errs; } + updateSelinuxPolicy($inf); + if (@errs = startServer($inf)) { return @errs; } @@ -1048,6 +1085,31 @@ sub removeDSInstance { # Finally, config dir push @errs, remove_tree($entry, "nsslapd-schemadir", $instname, 1, "\.db\$"); + # remove the selinux label from the ports if needed + if ("@with_selinux@") { + foreach my $port (@{$entry->{"nsslapd-port"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $port 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $port, $semanage_err]; + debug(1, "Warning: Port $port not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + + foreach my $secureport (@{$entry->{"nsslapd-secureport"}}) + { + my $semanage_err = `semanage port -d -t ldap_port_t -p tcp $secureport 2>&1`; + if ($? != 0) { + if ($semanage_err !~ /defined in policy, cannot be deleted/) { + push @errs, [ 'error_removing_port_label', $secureport, $semanage_err]; + debug(1, "Warning: Port $secureport not removed from selinux policy correctly. Error: $semanage_err\n"); + } + } + } + } + # if we got here, report success if (@errs) { debug(1, "Could not successfully remove $instname\n"); diff --git a/ldap/admin/src/scripts/DSMigration.pm.in b/ldap/admin/src/scripts/DSMigration.pm.in index 69e12882..c661d2c1 100644 --- a/ldap/admin/src/scripts/DSMigration.pm.in +++ b/ldap/admin/src/scripts/DSMigration.pm.in @@ -1141,6 +1141,9 @@ sub migrateDS { return 0; } + # ensure any selinux relabeling gets done if needed + DSCreate::updateSelinuxPolicy($inf); + # finally, start the server if ($mig->{start_servers}) { $inf->{slapd}->{start_server} = 1; diff --git a/ldap/admin/src/scripts/Util.pm.in b/ldap/admin/src/scripts/Util.pm.in index e90f3c10..6d54648f 100644 --- a/ldap/admin/src/scripts/Util.pm.in +++ b/ldap/admin/src/scripts/Util.pm.in @@ -917,11 +917,52 @@ sub remove_tree sub remove_pidfile { my ($type, $instdir, $instname) = @_; + my $serv_id; + my $run_dir; + my $product_name; + my $pidfile; + + # Get the serv_id from the start-slapd script. + unless(open(INFILE,"$instdir/start-slapd")) { + print("Cannot open start-slapd file for reading "); return 0; + } + while(<INFILE>) { + if (/start-dirsrv /g) { + my @servline=split(/start-dirsrv /, ); + @servline=split(/\s+/, $servline[1]); + $serv_id=$servline[0]; + } + } + close(INFILE); + + # Get the run_dir and product_name from the instance initconfig script. + unless(open(INFILE,"@initconfigdir@/@package_name@-$serv_id")) { + print("Couldn't open @initconfigdir@/@package_name@-$serv_id "); return 0; + } + while(<INFILE>) { + if (/RUN_DIR=/g) { + my @rundir_line=split(/RUN_DIR=+/, ); + @rundir_line=split(/;/, $rundir_line[1]); + $run_dir = $rundir_line[0]; + chop($run_dir); + } elsif (/PRODUCT_NAME=/g) { + my @product_line=split(/PRODUCT_NAME=+/, ); + @product_line=split(/;/, $product_line[1]); + $product_name = $product_line[0]; + chop($product_name); + } + } + close(INFILE); + + # Construct the pidfile name as follows: + # PIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.pid + # STARTPIDFILE=$RUN_DIR/$PRODUCT_NAME-$SERV_ID.startpid + if ($type eq "PIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".pid"; + } elsif ($type eq "STARTPIDFILE") { + $pidfile = $run_dir . "/" . $product_name . "-" . $serv_id . ".startpid"; + } - my $pattern = "^" . $type . ".*="; - my $pidline = `grep $pattern $instdir/start-slapd`; - chomp($pidline); - my ($key, $pidfile) = split(/=/, $pidline); if ( -e $pidfile && $pidfile =~ /$instname/ ) { unlink($pidfile); diff --git a/ldap/admin/src/scripts/setup-ds.res.in b/ldap/admin/src/scripts/setup-ds.res.in index 6502951c..53269631 100644 --- a/ldap/admin/src/scripts/setup-ds.res.in +++ b/ldap/admin/src/scripts/setup-ds.res.in @@ -135,3 +135,4 @@ error_creating_templdif = Could not create temporary LDIF file. Error: %s\n error_no_such_instance = Error: could not find directory server configuration directory '%s'. Error: %s\n error_finding_config_entry = Error: could not find the config entry '%s' in '%s'. Error: %s\n error_removing_path = Error: could not remove path '%s'. Error: %s\n +error_removing_port_label = Error: could not remove selinux label from port '%s'. Error: %s\n |