From edd986d94f173ea9f63f105eaf0039327bc6f2e9 Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 4 Sep 2012 13:40:37 -0500 Subject: Fixed SELinux error during pkidestroy. When removing a subsystem the pkidestroy would also remove the SELinux contexts for the instance regardless of whether there are still other subsystems in the instance. The code has been fixed such that it's removing the SELinux contexts when deleting the last subsystem only. Ticket #89 --- base/deploy/src/scriptlets/selinux_setup.py | 96 ++++++++++++++++++++--------- 1 file changed, 68 insertions(+), 28 deletions(-) (limited to 'base/deploy/src') diff --git a/base/deploy/src/scriptlets/selinux_setup.py b/base/deploy/src/scriptlets/selinux_setup.py index 38cc17f0a..58ec3ad4e 100644 --- a/base/deploy/src/scriptlets/selinux_setup.py +++ b/base/deploy/src/scriptlets/selinux_setup.py @@ -49,25 +49,44 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): self.restore_context() return self.rv - trans = seobject.semanageRecords("targeted") - trans.start() - if master['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - fcon1 = seobject.fcontextRecords() - fcon1.add(master['pki_instance_path'] + self.suffix, + # add SELinux contexts when adding the first subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 1 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() == 1: + + trans = seobject.semanageRecords("targeted") + trans.start() + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: + + fcon = seobject.fcontextRecords() + + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_path'] + self.suffix, config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "") - fcon2 = seobject.fcontextRecords() - fcon2.add(master['pki_instance_log_path'] + self.suffix, + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_log_path'] + self.suffix, config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "") - fcon3 = seobject.fcontextRecords() - fcon3.add(master['pki_instance_configuration_path'] + self.suffix, + config.pki_log.info("adding selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.add(master['pki_instance_configuration_path'] + self.suffix, config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "") - for port in ports: - port1 = seobject.portRecords() - port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) - trans.finish() + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("adding selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT) + + trans.finish() self.restore_context() return self.rv @@ -87,21 +106,42 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet): config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: return self.rv - trans = seobject.semanageRecords("targeted") - trans.start() - if master['pki_instance_name'] != \ - config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - fcon1 = seobject.fcontextRecords() - fcon1.delete(master['pki_instance_path'] + self.suffix , "") + # remove SELinux contexts when removing the last subsystem + if master['pki_subsystem'] in config.PKI_APACHE_SUBSYSTEMS and\ + util.instance.apache_instance_subsystems() == 0 or\ + master['pki_subsystem'] in config.PKI_TOMCAT_SUBSYSTEMS and\ + util.instance.tomcat_instance_subsystems() == 0: + + trans = seobject.semanageRecords("targeted") + trans.start() - fcon2 = seobject.fcontextRecords() - fcon2.delete(master['pki_instance_log_path'] + self.suffix, "") + if master['pki_instance_name'] != \ + config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME: - fcon3 = seobject.fcontextRecords() - fcon3.delete(master['pki_instance_configuration_path'] + \ + fcon = seobject.fcontextRecords() + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_path'] + self.suffix , "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_log_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_log_path'] + self.suffix, "") + + config.pki_log.info("deleting selinux fcontext \"%s\"", + master['pki_instance_configuration_path'] + self.suffix, + extra=config.PKI_INDENTATION_LEVEL_2) + fcon.delete(master['pki_instance_configuration_path'] + \ self.suffix, "") - for port in ports: - port1 = seobject.portRecords() - port1.delete(port, "tcp") - trans.finish() + + portRecords = seobject.portRecords() + for port in ports: + config.pki_log.info("deleting selinux port %s", port, + extra=config.PKI_INDENTATION_LEVEL_2) + portRecords.delete(port, "tcp") + + trans.finish() + return self.rv -- cgit