diff options
author | Simo Sorce <simo@redhat.com> | 2014-05-01 13:16:14 -0400 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-05-01 21:05:45 -0400 |
commit | c6e97e93a61b02602f14606a60b6154880308123 (patch) | |
tree | 697ee43a3976d8d305637a6d5dcabd22f271f059 | |
parent | 2c888a62a0c21114b51fd79d5321d5fed39f0b6e (diff) | |
download | ipsilon-c6e97e93a61b02602f14606a60b6154880308123.tar.gz ipsilon-c6e97e93a61b02602f14606a60b6154880308123.tar.xz ipsilon-c6e97e93a61b02602f14606a60b6154880308123.zip |
Make SELinux happy
Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
-rw-r--r-- | contrib/fedora/ipsilon.spec | 9 | ||||
-rwxr-xr-x | ipsilon/install/ipsilon-server-install | 5 | ||||
-rwxr-xr-x | ipsilon/login/authpam.py | 9 |
3 files changed, 23 insertions, 0 deletions
diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec index 08f2c70..f86e4de 100644 --- a/contrib/fedora/ipsilon.spec +++ b/contrib/fedora/ipsilon.spec @@ -62,6 +62,15 @@ getent passwd ipsilon >/dev/null || \ -c "Ipsilon Server" ipsilon exit 0 +%post +semanage fcontext -a -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || : +semanage fcontext -a -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || : +restorecon -R %{_sharedstatedir}/ipsilon || : + +%postun +semanage fcontext -d -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || : +semanage fcontext -d -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || : + %files %doc COPYING %{python2_sitelib}/ipsilon-*.egg-info diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install index b5a6371..d9e4585 100755 --- a/ipsilon/install/ipsilon-server-install +++ b/ipsilon/install/ipsilon-server-install @@ -28,6 +28,7 @@ import os import pwd import shutil import socket +import subprocess import sys import time @@ -137,6 +138,10 @@ def install(plugins, args): # Fixup permissions so only the ipsilon user can read these files files.fix_user_dirs(instance_conf, opts['system_user'], mode=0500) files.fix_user_dirs(args['data_dir'], opts['system_user']) + try: + subprocess.call(['/usr/sbin/restorecon', '-R', args['data_dir']]) + except Exception: # pylint: disable=broad-except + pass def uninstall(plugins, args): logger.info('Uninstallation initiated') diff --git a/ipsilon/login/authpam.py b/ipsilon/login/authpam.py index db409f7..14ebae4 100755 --- a/ipsilon/login/authpam.py +++ b/ipsilon/login/authpam.py @@ -22,6 +22,7 @@ from ipsilon.login.common import FACILITY from ipsilon.util.plugin import PluginObject import cherrypy import pam +import subprocess class Pam(LoginPageBase): @@ -185,3 +186,11 @@ class Installer(object): globalconf['order'] = ','.join(order) po.set_config(globalconf) po.save_plugin_config(FACILITY) + + # for selinux enabled platfroms, ignore if it fails just report + try: + subprocess.call(['/usr/sbin/setsebool', '-P', + 'httpd_mod_auth_pam=on', + 'httpd_tmp_t=on']) + except Exception: # pylint: disable=broad-except + pass |