From 8b396f3c7a397d39f07af3f2f5d5317204dfa762 Mon Sep 17 00:00:00 2001 From: sbose Date: Wed, 30 May 2012 11:54:01 +0200 Subject: Set samba_portmapper SELinux boolean during ipa-adtrust-install --- ipaserver/install/adtrustinstance.py | 51 ++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py index fffa062cd..e15854a91 100644 --- a/ipaserver/install/adtrustinstance.py +++ b/ipaserver/install/adtrustinstance.py @@ -39,6 +39,14 @@ import struct ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits +SELINUX_WARNING = """ +WARNING: could not set selinux boolean(s) %(var)s to true. The adtrust +service may not function correctly until this boolean is successfully +change with the command: + /usr/sbin/setsebool -P %(var)s true +Try updating the policycoreutils and selinux-policy packages. +""" + def check_inst(): for smbfile in ['/usr/sbin/smbd', '/usr/bin/net', '/usr/bin/smbpasswd']: if not os.path.exists(smbfile): @@ -105,6 +113,7 @@ class ADTRUSTInstance(service.Service): self.sub_dict = None self.cifs_principal = None self.cifs_agent = None + self.selinux_booleans = None service.Service.__init__(self, "smb", dm_password=dm_password) @@ -311,6 +320,37 @@ class ADTRUSTInstance(service.Service): for rec in ipa_rdata: add_rr(zone, win_srv, "SRV", rec) + def __configure_selinux_for_smbd(self): + selinux = False + try: + if (os.path.exists('/usr/sbin/selinuxenabled')): + ipautil.run(["/usr/sbin/selinuxenabled"]) + selinux = True + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled + pass + + if selinux: + # Don't assume all booleans are available + sebools = [] + for var in self.selinux_booleans: + try: + (stdout, stderr, returncode) = ipautil.run(["/usr/sbin/getsebool", var]) + if stdout and not stderr and returncode == 0: + self.backup_state(var, stdout.split()[2]) + sebools.append(var) + except: + pass + + if sebools: + bools = [var + "=true" for var in sebools] + args = ["/usr/sbin/setsebool", "-P"] + args.extend(bools); + try: + ipautil.run(args) + except: + self.print_msg(SELINUX_WARNING % dict(var=','.join(sebools))) + def __start(self): try: self.start() @@ -373,6 +413,7 @@ class ADTRUSTInstance(service.Service): self.cifs_principal = "cifs/" + self.fqdn + "@" + self.realm_name self.cifs_agent = "krbprincipalname=%s,cn=services,cn=accounts,%s" % \ (self.cifs_principal.lower(), self.suffix) + self.selinux_booleans = ["samba_portmapper"] self.__setup_sub_dict() @@ -395,6 +436,8 @@ class ADTRUSTInstance(service.Service): self.__add_dns_service_records) self.step("restarting KDC to take MS PAC changes into account", \ self.__restart_kdc) + self.step("setting SELinux booelans", \ + self.__configure_selinux_for_smbd) self.step("starting smbd", self.__start) self.start_creation("Configuring smbd:") @@ -418,6 +461,14 @@ class ADTRUSTInstance(service.Service): root_logger.debug(error) pass + for var in self.selinux_booleans: + sebool_state = self.restore_state(var) + if not sebool_state is None: + try: + ipautil.run(["/usr/sbin/setsebool", "-P", var, sebool_state]) + except: + self.print_msg(SELINUX_WARNING % dict(var=var)) + if not enabled is None and not enabled: self.disable() -- cgit