diff options
| author | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-03-22 22:52:15 +0000 |
|---|---|---|
| committer | vakwetu <vakwetu@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2011-03-22 22:52:15 +0000 |
| commit | 52fc1c277e7195951da58daa81675b8ee79bb085 (patch) | |
| tree | c14fe17c44b12a1c3944ecfb83bf1656cbe3cb04 /pki/base/setup/pkicreate | |
| parent | 3e2614ac628ebd2dd727c7b29a79bf701310341c (diff) | |
| download | pki-52fc1c277e7195951da58daa81675b8ee79bb085.tar.gz pki-52fc1c277e7195951da58daa81675b8ee79bb085.tar.xz pki-52fc1c277e7195951da58daa81675b8ee79bb085.zip | |
Bugzilla BZ#688251 - Dogtag installation under IPA takes too much time - SELinux policy compilation
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1909 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/setup/pkicreate')
| -rwxr-xr-x | pki/base/setup/pkicreate | 100 |
1 files changed, 56 insertions, 44 deletions
diff --git a/pki/base/setup/pkicreate b/pki/base/setup/pkicreate index 9c3ab722e..a97a76027 100755 --- a/pki/base/setup/pkicreate +++ b/pki/base/setup/pkicreate @@ -2901,14 +2901,11 @@ sub check_selinux_port sub add_selinux_port { - my ($setype, $seport) = @_; + my ($setype, $seport, $cmds_ref) = @_; my $status = check_selinux_port($setype, $seport); if ($status == $SELINUX_PORT_UNDEFINED) { - emit("Setting selinux context $setype for $seport\n"); - if (!run_command("$semanage port -a -t $setype -p tcp $seport")) { - emit("Failed setting selinux context $setype for $seport\n", "error"); - } + $$cmds_ref .= "port -a -t $setype -p tcp $seport\n"; } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { emit("Failed setting selinux context $setype for $seport\n", "error"); } @@ -2916,26 +2913,23 @@ sub add_selinux_port sub add_selinux_file_context { - my ($fcontext, $fname, $ftype) = @_; + my ($fcontext, $fname, $ftype, $cmds_ref) = @_; my ($result); emit(sprintf("add_selinux_file_context(%s)\n", join(", ", @_)), "debug"); - return if $dry_run; - #check if fcontext has already been set - if (`$semanage fcontext -l -n |grep $fname |grep ":$fcontext:" | wc -l` == 1) { - #selinux context already defined + my $tmp = `$semanage fcontext -l -n |grep $fname |grep ":$fcontext:" | wc -l`; + chomp $tmp; + if ($tmp ne "0") { + emit("selinux fcontext for $fname already defined\n", "debug"); return; } - emit("Setting selinux file context for $fname\n"); + if ($ftype eq "f") { - $result = run_command("$semanage fcontext -a -t $fcontext -f -- $fname"); + $$cmds_ref .= "fcontext -a -t $fcontext -f -- $fname\n"; } else { - $result = run_command("$semanage fcontext -a -t $fcontext $fname"); - } - if (!$result) { - emit("Failed setting selinux file context $fcontext for $fname", "error"); + $$cmds_ref .= "fcontext -a -t $fcontext $fname\n"; } } @@ -2954,6 +2948,8 @@ sub process_pki_selinux_setup my $log_path; my $ftype; my $java_component = 0; + my $semanage_cmds = ""; + my @restorecon_cmds; emit("configuring SELinux ...\n"); @@ -2980,19 +2976,17 @@ sub process_pki_selinux_setup # set file contexts if ($java_component) { - emit("Restorecon file context for /usr/share/java/pki\n"); - run_command("$restorecon -F -R /usr/share/java/pki"); + push (@restorecon_cmds, "$restorecon -F -R /usr/share/java/pki"); } - emit("Restorecon file context for /usr/share/pki\n"); - run_command("$restorecon -F -R /usr/share/pki"); + push (@restorecon_cmds, "$restorecon -F -R /usr/share/pki"); # set file context for $pki_instance_root/$pki_instance_name if (($pki_instance_name ne $default_instance_name) || ($pki_instance_root ne $default_instance_root)) { add_selinux_file_context($setype . "_var_lib_t", - "\"${pki_instance_root}/${pki_instance_name}(/.*)?\"", "a"); + "\"${pki_instance_root}/${pki_instance_name}(/.*)?\"", + "a", \$semanage_cmds); } - emit("Restorecon file context for $pki_instance_root/$pki_instance_name\n"); - run_command("$restorecon -F -R $pki_instance_root/$pki_instance_name"); + push(@restorecon_cmds, "$restorecon -F -R $pki_instance_root/$pki_instance_name"); if ($java_component) { @@ -3000,17 +2994,15 @@ sub process_pki_selinux_setup my $pidfile = $tomcat6_instance_pid_file_path; if ($pki_instance_name ne $default_instance_name) { add_selinux_file_context($setype . "_var_run_t", - $pidfile, "f"); + $pidfile, "f", \$semanage_cmds); } if (-e $pidfile) { - emit("Restorecon file context for $pidfile\n"); - run_command("$restorecon -F $pidfile"); + push(@restorecon_cmds, "$restorecon -F $pidfile"); } my $pidpath = $default_apache_pids_path; if (-e $pidpath) { - emit("Restorecon file context for $pidpath\n"); - run_command("$restorecon -F -R $pidpath"); + push(@restorecon_cmds, "$restorecon -F -R $pidpath"); } } @@ -3021,10 +3013,9 @@ sub process_pki_selinux_setup } else { if ($log_path ne $default_log_path) { add_selinux_file_context($setype . "_log_t", - "\"$log_path(/.*)?\"", "a"); + "\"$log_path(/.*)?\"", "a", \$semanage_cmds); } - emit("Restorecon file context for $log_path\n"); - run_command("$restorecon -F -R $log_path"); + push(@restorecon_cmds, "$restorecon -F -R $log_path"); } # set file context for $conf_path @@ -3033,41 +3024,62 @@ sub process_pki_selinux_setup emit("Error: Cannot set selinux context $setype" . "_etc_rw_t for directory /"); } else { add_selinux_file_context($setype . "_etc_rw_t", - "\"$conf_path(/.*)?\"", "a"); - emit("Restorecon $conf_path\n"); - run_command("$restorecon -F -R $conf_path"); + "\"$conf_path(/.*)?\"", "a", \$semanage_cmds); + push(@restorecon_cmds, "$restorecon -F -R $conf_path"); } if (! $java_component) { - emit("Restorecon file context for /usr/sbin/httpd.worker \n"); - run_command("$restorecon -F -R /usr/sbin/httpd.worker"); + push(@restorecon_cmds, "$restorecon -F -R /usr/sbin/httpd.worker"); } # add ports parse_selinux_ports(); if ($secure_port != -1) { - add_selinux_port($setype_p, $secure_port); + add_selinux_port($setype_p, $secure_port, \$semanage_cmds); } if ($non_clientauth_secure_port != -1) { - add_selinux_port($setype_p, $non_clientauth_secure_port); + add_selinux_port($setype_p, $non_clientauth_secure_port, \$semanage_cmds); } if ($unsecure_port != -1) { - add_selinux_port($setype_p, $unsecure_port); + add_selinux_port($setype_p, $unsecure_port, \$semanage_cmds); } if ($tomcat_server_port != -1) { - add_selinux_port($setype_p, $tomcat_server_port); + add_selinux_port($setype_p, $tomcat_server_port, \$semanage_cmds); } if ($agent_secure_port != -1) { - add_selinux_port($setype_p, $agent_secure_port); + add_selinux_port($setype_p, $agent_secure_port, \$semanage_cmds); } if ($ee_secure_port != -1) { - add_selinux_port($setype_p, $ee_secure_port); + add_selinux_port($setype_p, $ee_secure_port, \$semanage_cmds); } if ($ee_secure_client_auth_port != -1) { - add_selinux_port($setype_p, $ee_secure_client_auth_port); + add_selinux_port($setype_p, $ee_secure_client_auth_port, \$semanage_cmds); } if ($admin_secure_port != -1) { - add_selinux_port($setype_p, $admin_secure_port); + add_selinux_port($setype_p, $admin_secure_port, \$semanage_cmds); + } + + # now run the selinux commands in batch mode + if ($semanage_cmds ne "") { + emit("Running the semanage commands in batch mode\n", "debug"); + if (! $dry_run) { + if(! run_command("$semanage -S targeted -i - " . ' << _EOF' . "\n$semanage_cmds\n" . '_EOF' . "\n")) { + emit("Failed executing semanage batch command \n", "error"); + } + } + } else { + emit("Selinux contexts already set. No need to run semanage.\n", "debug"); + } + + #now run the restorecons + emit("Running restorecon commands\n", "debug"); + foreach my $cmd (@restorecon_cmds) { + emit("$cmd\n", "debug"); + if (! $dry_run) { + if (!run_command($cmd)) { + emit("Failed executing restorecon command; $cmd\n", "error"); + } + } } return 1; |