diff options
author | Petr Viktorin <pviktori@redhat.com> | 2014-08-14 17:14:07 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-09-26 12:12:59 +0200 |
commit | c7d6fea06f17ecceb3d7c6aae57cc7b9f4fe4c9f (patch) | |
tree | 798b417b9bdae065b932942645fdd5b221171404 /ipaplatform/fedora/tasks.py | |
parent | 757272a3f818e85e7f0b88060efbcd76d3a93f8b (diff) | |
download | freeipa-c7d6fea06f17ecceb3d7c6aae57cc7b9f4fe4c9f.tar.gz freeipa-c7d6fea06f17ecceb3d7c6aae57cc7b9f4fe4c9f.tar.xz freeipa-c7d6fea06f17ecceb3d7c6aae57cc7b9f4fe4c9f.zip |
Move setting SELinux booleans to platform code
Create a platform task for setting SELinux booleans.
Use an exception for the case when the booleans could not be set
(since this is an error if not handled).
Since ipaplatform should not depend on ipalib, create a new
errors module in ipapython for SetseboolError.
Handle uninstallation with the same task, which means
the booleans are now restored with a single call to
setsebool.
Preparation for: https://fedorahosted.org/freeipa/ticket/4157
Fixes: https://fedorahosted.org/freeipa/ticket/2934
Fixes: https://fedorahosted.org/freeipa/ticket/2519
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Diffstat (limited to 'ipaplatform/fedora/tasks.py')
-rw-r--r-- | ipaplatform/fedora/tasks.py | 53 |
1 files changed, 51 insertions, 2 deletions
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py index 926c0ea66..9f4a76b82 100644 --- a/ipaplatform/fedora/tasks.py +++ b/ipaplatform/fedora/tasks.py @@ -24,7 +24,6 @@ This module contains default Fedora-specific implementations of system tasks. ''' import os -import shutil import stat import socket import sys @@ -35,8 +34,9 @@ from subprocess import CalledProcessError from nss.error import NSPRError from pyasn1.error import PyAsn1Error -from ipapython.ipa_log_manager import root_logger +from ipapython.ipa_log_manager import root_logger, log_mgr from ipapython import ipautil +import ipapython.errors from ipalib import x509 # FIXME: do not import from ipalib @@ -45,6 +45,9 @@ from ipaplatform.fedora.authconfig import FedoraAuthConfig from ipaplatform.base.tasks import BaseTaskNamespace +log = log_mgr.get_logger(__name__) + + class FedoraTaskNamespace(BaseTaskNamespace): def restore_context(self, filepath, restorecon=paths.SBIN_RESTORECON): @@ -326,4 +329,50 @@ class FedoraTaskNamespace(BaseTaskNamespace): except OSError: pass + def set_selinux_booleans(self, required_settings, backup_func=None): + def get_setsebool_args(changes): + args = [paths.SETSEBOOL, "-P"] + args.extend(["%s=%s" % update for update in changes.iteritems()]) + + return args + + if (os.path.exists(paths.SELINUXENABLED)): + try: + ipautil.run([paths.SELINUXENABLED]) + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled + return False + else: + return False + + updated_vars = {} + failed_vars = {} + for setting, state in required_settings.iteritems(): + try: + (stdout, stderr, rc) = ipautil.run([paths.GETSEBOOL, setting]) + original_state = stdout.split()[2] + if backup_func is not None: + backup_func(setting, original_state) + + if original_state != state: + updated_vars[setting] = state + except ipautil.CalledProcessError, e: + log.error("Cannot get SELinux boolean '%s': %s", setting, e) + failed_vars[setting] = state + + if updated_vars: + args = get_setsebool_args(updated_vars) + try: + ipautil.run(args) + except ipautil.CalledProcessError: + failed_vars.update(updated_vars) + + if failed_vars: + raise ipapython.errors.SetseboolError( + failed=failed_vars, + command=' '.join(get_setsebool_args(failed_vars))) + + return True + + tasks = FedoraTaskNamespace() |