From c95d08303cbf37b0ac39414c27daf9b0889cae3a Mon Sep 17 00:00:00 2001
From: John Dennis <jdennis@redhat.com>
Date: Mon, 26 Jan 2015 17:11:03 -0500
Subject: set SELinux boolean httpd_can_connect_ldap when install infolap and
 authldap

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 ipsilon/info/infoldap.py  | 9 +++++++++
 ipsilon/login/authldap.py | 9 +++++++++
 2 files changed, 18 insertions(+)

diff --git a/ipsilon/info/infoldap.py b/ipsilon/info/infoldap.py
index 7170e95..3edd0dd 100644
--- a/ipsilon/info/infoldap.py
+++ b/ipsilon/info/infoldap.py
@@ -8,6 +8,7 @@ from ipsilon.util.plugin import PluginObject
 from ipsilon.util.policy import Policy
 from ipsilon.util import config as pconfig
 import ldap
+import subprocess
 
 
 # TODO: fetch mapping from configuration
@@ -196,3 +197,11 @@ class Installer(InfoProviderInstaller):
         # Update global config to add info plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass
diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py
index f383003..1f6c3dc 100644
--- a/ipsilon/login/authldap.py
+++ b/ipsilon/login/authldap.py
@@ -7,6 +7,7 @@ from ipsilon.util.log import Log
 from ipsilon.util import config as pconfig
 from ipsilon.info.infoldap import InfoProvider as LDAPInfo
 import ldap
+import subprocess
 
 
 class LDAP(LoginFormBase, Log):
@@ -201,3 +202,11 @@ class Installer(LoginManagerInstaller):
         # Update global config to add login plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass
-- 
cgit