From 308d2dd406d5ec935b209c52803ce7de4136fe0b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Fri, 3 Oct 2014 11:14:56 +0200 Subject: Split off generic Red Hat-like platform code from Fedora platform code https://fedorahosted.org/freeipa/ticket/4562 Reviewed-By: Martin Kosek --- ipaplatform/redhat/__init__.py | 22 +++ ipaplatform/redhat/authconfig.py | 86 +++++++++ ipaplatform/redhat/paths.py | 33 ++++ ipaplatform/redhat/services.py | 237 +++++++++++++++++++++++ ipaplatform/redhat/tasks.py | 394 +++++++++++++++++++++++++++++++++++++++ 5 files changed, 772 insertions(+) create mode 100644 ipaplatform/redhat/__init__.py create mode 100644 ipaplatform/redhat/authconfig.py create mode 100644 ipaplatform/redhat/paths.py create mode 100644 ipaplatform/redhat/services.py create mode 100644 ipaplatform/redhat/tasks.py (limited to 'ipaplatform/redhat') diff --git a/ipaplatform/redhat/__init__.py b/ipaplatform/redhat/__init__.py new file mode 100644 index 000000000..b6925a7a7 --- /dev/null +++ b/ipaplatform/redhat/__init__.py @@ -0,0 +1,22 @@ +# Authors: +# Tomas Babej +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +''' +This module contains Red Hat OS family specific platform files. +''' diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py new file mode 100644 index 000000000..901eb5163 --- /dev/null +++ b/ipaplatform/redhat/authconfig.py @@ -0,0 +1,86 @@ +# Authors: Simo Sorce +# Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2007-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from ipapython import ipautil + + +class RedHatAuthConfig(object): + """ + AuthConfig class implements system-independent interface to configure + system authentication resources. In Red Hat systems this is done with + authconfig(8) utility. + + AuthConfig class is nothing more than a tool to gather configuration + options and execute their processing. These options then converted by + an actual implementation to series of a system calls to appropriate + utilities performing real configuration. + + If you need to re-use existing AuthConfig instance for multiple runs, + make sure to call 'AuthConfig.reset()' between the runs. + """ + + def __init__(self): + self.parameters = {} + + def enable(self, option): + self.parameters[option] = True + return self + + def disable(self, option): + self.parameters[option] = False + return self + + def add_option(self, option): + self.parameters[option] = None + return self + + def add_parameter(self, option, value): + self.parameters[option] = [value] + return self + + def reset(self): + self.parameters = {} + return self + + def build_args(self): + args = [] + + for (option, value) in self.parameters.items(): + if type(value) is bool: + if value: + args.append("--enable%s" % (option)) + else: + args.append("--disable%s" % (option)) + elif type(value) in (tuple, list): + args.append("--%s" % (option)) + args.append("%s" % (value[0])) + elif value is None: + args.append("--%s" % (option)) + else: + args.append("--%s%s" % (option, value)) + + return args + + def execute(self, update=True): + if update: + self.add_option("update") + + args = self.build_args() + ipautil.run(["/usr/sbin/authconfig"] + args) diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py new file mode 100644 index 000000000..6d7e76dc5 --- /dev/null +++ b/ipaplatform/redhat/paths.py @@ -0,0 +1,33 @@ +# Authors: +# Tomas Babej +# +# Copyright (C) 2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +''' +This Red Hat OS family base platform module exports default filesystem paths as +common in Red Hat OS family-based systems. +''' + +# Fallback to default path definitions +from ipaplatform.base.paths import BasePathNamespace + + +class RedHatPathNamespace(BasePathNamespace): + pass + + +paths = RedHatPathNamespace() diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py new file mode 100644 index 000000000..76e123ebe --- /dev/null +++ b/ipaplatform/redhat/services.py @@ -0,0 +1,237 @@ +# Author: Alexander Bokovoy +# Tomas Babej +# +# Copyright (C) 2011-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +""" +Contains Red Hat OS family-specific service class implementations. +""" + +import os +import time + +from ipaplatform.tasks import tasks +from ipaplatform.base import services as base_services + +from ipapython import ipautil, dogtag +from ipapython.ipa_log_manager import root_logger +from ipalib import api +from ipaplatform.paths import paths + +# Mappings from service names as FreeIPA code references to these services +# to their actual systemd service names + +# For beginning just remap names to add .service +# As more services will migrate to systemd, unit names will deviate and +# mapping will be kept in this dictionary +redhat_system_units = dict((x, "%s.service" % x) + for x in base_services.wellknownservices) + +redhat_system_units['rpcgssd'] = 'nfs-secure.service' +redhat_system_units['rpcidmapd'] = 'nfs-idmap.service' + +# Rewrite dirsrv and pki-tomcatd services as they support instances via separate +# service generator. To make this working, one needs to have both foo@.servic +# and foo.target -- the latter is used when request should be coming for +# all instances (like stop). systemd, unfortunately, does not allow one +# to request action for all service instances at once if only foo@.service +# unit is available. To add more, if any of those services need to be +# started/stopped automagically, one needs to manually create symlinks in +# /etc/systemd/system/foo.target.wants/ (look into systemd.py's enable() +# code). + +redhat_system_units['dirsrv'] = 'dirsrv@.service' +# Our directory server instance for PKI is dirsrv@PKI-IPA.service +redhat_system_units['pkids'] = 'dirsrv@PKI-IPA.service' +# Old style PKI instance +redhat_system_units['pki-cad'] = 'pki-cad@pki-ca.service' +redhat_system_units['pki_cad'] = redhat_system_units['pki-cad'] +# Our PKI instance is pki-tomcatd@pki-tomcat.service +redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service' +redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd'] +redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket' + + +# Service classes that implement Red Hat OS family-specific behaviour + +class RedHatService(base_services.SystemdService): + system_units = redhat_system_units + + def __init__(self, service_name): + systemd_name = service_name + if service_name in self.system_units: + systemd_name = self.system_units[service_name] + else: + if '.' not in service_name: + # if service_name does not have a dot, it is not foo.service + # and not a foo.target. Thus, not correct service name for + # systemd, default to foo.service style then + systemd_name = "%s.service" % (service_name) + super(RedHatService, self).__init__(service_name, systemd_name) + + +class RedHatDirectoryService(RedHatService): + + def tune_nofile_platform(self, num=8192, fstore=None): + """ + Increase the number of files descriptors available to directory server + from the default 1024 to 8192. This will allow to support a greater + number of clients out of the box. + + This is a part of the implementation that is systemd-specific. + + Returns False if the setting of the nofile limit needs to be skipped. + """ + + if os.path.exists(paths.SYSCONFIG_DIRSRV_SYSTEMD): + # We need to enable LimitNOFILE=8192 in the dirsrv@.service + # Since 389-ds-base-1.2.10-0.8.a7 the configuration of the + # service parameters is performed via + # /etc/sysconfig/dirsrv.systemd file which is imported by systemd + # into dirsrv@.service unit + + replacevars = {'LimitNOFILE': str(num)} + ipautil.inifile_replace_variables(paths.SYSCONFIG_DIRSRV_SYSTEMD, + 'service', + replacevars=replacevars) + tasks.restore_context(paths.SYSCONFIG_DIRSRV_SYSTEMD) + ipautil.run(["/bin/systemctl", "--system", "daemon-reload"], + raiseonerr=False) + + return True + + def restart(self, instance_name="", capture_output=True, wait=True): + # We need to explicitly enable instances to install proper symlinks as + # dirsrv.target.wants/ dependencies. Standard systemd service class does it + # on enable() method call. Unfortunately, ipa-server-install does not do + # explicit dirsrv.enable() because the service startup is handled by ipactl. + # + # If we wouldn't do this, our instances will not be started as systemd would + # not have any clue about instances (PKI-IPA and the domain we serve) + # at all. Thus, hook into dirsrv.restart(). + + if instance_name: + elements = self.systemd_name.split("@") + + srv_etc = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, + self.systemd_name) + srv_tgt = os.path.join(paths.ETC_SYSTEMD_SYSTEM_DIR, + self.SYSTEMD_SRV_TARGET % (elements[0])) + srv_lnk = os.path.join(srv_tgt, + self.service_instance(instance_name)) + + if not os.path.exists(srv_etc): + self.enable(instance_name) + elif not os.path.samefile(srv_etc, srv_lnk): + os.unlink(srv_lnk) + os.symlink(srv_etc, srv_lnk) + + super(RedHatDirectoryService, self).restart(instance_name, + capture_output=capture_output, wait=wait) + + +class RedHatIPAService(RedHatService): + # Enforce restart of IPA services when we do enable it + # This gets around the fact that after ipa-server-install systemd thinks + # ipa.service is not yet started but all services were actually started + # already. + def enable(self, instance_name=""): + super(RedHatIPAService, self).enable(instance_name) + self.restart(instance_name) + + +class RedHatSSHService(RedHatService): + def get_config_dir(self, instance_name=""): + return '/etc/ssh' + + +class RedHatCAService(RedHatService): + def wait_until_running(self): + # We must not wait for the httpd proxy if httpd is not set up yet. + # Unfortunately, knownservices.httpd.is_installed() can return + # false positives, so check for existence of our configuration file. + # TODO: Use a cleaner solution + use_proxy = True + if not (os.path.exists('/etc/httpd/conf.d/ipa.conf') and + os.path.exists(paths.HTTPD_IPA_PKI_PROXY_CONF)): + root_logger.debug( + 'The httpd proxy is not installed, wait on local port') + use_proxy = False + root_logger.debug('Waiting until the CA is running') + timeout = float(api.env.startup_timeout) + op_timeout = time.time() + timeout + while time.time() < op_timeout: + try: + status = dogtag.ca_status(use_proxy=use_proxy) + except Exception: + status = 'check interrupted' + root_logger.debug('The CA status is: %s' % status) + if status == 'running': + break + root_logger.debug('Waiting for CA to start...') + time.sleep(1) + else: + raise RuntimeError('CA did not start in %ss' % timeout) + + def start(self, instance_name="", capture_output=True, wait=True): + super(RedHatCAService, self).start( + instance_name, capture_output=capture_output, wait=wait) + if wait: + self.wait_until_running() + + def restart(self, instance_name="", capture_output=True, wait=True): + super(RedHatCAService, self).restart( + instance_name, capture_output=capture_output, wait=wait) + if wait: + self.wait_until_running() + + +# Function that constructs proper Red Hat OS family-specific server classes for +# services of specified name + +def redhat_service_class_factory(name): + if name == 'dirsrv': + return RedHatDirectoryService(name) + if name == 'ipa': + return RedHatIPAService(name) + if name == 'sshd': + return RedHatSSHService(name) + if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'): + return RedHatCAService(name) + return RedHatService(name) + + +# Magicdict containing RedHatService instances. + +class RedHatServices(base_services.KnownServices): + def service_class_factory(self, name): + return redhat_service_class_factory(name) + + def __init__(self): + services = dict() + for s in base_services.wellknownservices: + services[s] = self.service_class_factory(s) + # Call base class constructor. This will lock services to read-only + super(RedHatServices, self).__init__(services) + + +# Objects below are expected to be exported by platform module + +from ipaplatform.base.services import timedate_services +service = redhat_service_class_factory +knownservices = RedHatServices() diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py new file mode 100644 index 000000000..30033b274 --- /dev/null +++ b/ipaplatform/redhat/tasks.py @@ -0,0 +1,394 @@ +# Authors: Simo Sorce +# Alexander Bokovoy +# Martin Kosek +# Tomas Babej +# +# Copyright (C) 2007-2014 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +''' +This module contains default Red Hat OS family-specific implementations of +system tasks. +''' + +import os +import stat +import socket +import sys +import urllib +import base64 + +from subprocess import CalledProcessError +from nss.error import NSPRError +from pyasn1.error import PyAsn1Error + +from ipapython.ipa_log_manager import root_logger, log_mgr +from ipapython import ipautil +import ipapython.errors + +from ipalib import x509 # FIXME: do not import from ipalib + +from ipaplatform.paths import paths +from ipaplatform.redhat.authconfig import RedHatAuthConfig +from ipaplatform.base.tasks import BaseTaskNamespace + + +log = log_mgr.get_logger(__name__) + + +def selinux_enabled(): + """ + Check if SELinux is enabled. + """ + if os.path.exists(paths.SELINUXENABLED): + try: + ipautil.run([paths.SELINUXENABLED]) + return True + except ipautil.CalledProcessError: + # selinuxenabled returns 1 if not enabled + return False + else: + # No selinuxenabled, no SELinux + return False + + +class RedHatTaskNamespace(BaseTaskNamespace): + + def restore_context(self, filepath, restorecon=paths.SBIN_RESTORECON): + """ + restore security context on the file path + SELinux equivalent is /path/to/restorecon + restorecon's return values are not reliable so we have to + ignore them (BZ #739604). + + ipautil.run() will do the logging. + """ + + if not selinux_enabled(): + return + + if (os.path.exists(restorecon)): + ipautil.run([restorecon, filepath], raiseonerr=False) + + def check_selinux_status(self, restorecon=paths.RESTORECON): + """ + We don't have a specific package requirement for policycoreutils + which provides restorecon. This is because we don't require + SELinux on client installs. However if SELinux is enabled then + this package is required. + + This function returns nothing but may raise a Runtime exception + if SELinux is enabled but restorecon is not available. + """ + if not selinux_enabled(): + return + + if not os.path.exists(restorecon): + raise RuntimeError('SELinux is enabled but %s does not exist.\n' + 'Install the policycoreutils package and start ' + 'the installation again.' % restorecon) + + def restore_pre_ipa_client_configuration(self, fstore, statestore, + was_sssd_installed, + was_sssd_configured): + + auth_config = RedHatAuthConfig() + if statestore.has_state('authconfig'): + # disable only those configurations that we enabled during install + for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'): + cnf = statestore.restore_state('authconfig', conf) + # Do not disable sssd, as this can cause issues with its later + # uses. Remove it from statestore however, so that it becomes + # empty at the end of uninstall process. + if cnf and conf != 'sssd': + auth_config.disable(conf) + else: + # There was no authconfig status store + # It means the code was upgraded after original install + # Fall back to old logic + auth_config.disable("ldap") + auth_config.disable("krb5") + if not(was_sssd_installed and was_sssd_configured): + # Only disable sssdauth. Disabling sssd would cause issues + # with its later uses. + auth_config.disable("sssdauth") + auth_config.disable("mkhomedir") + + auth_config.execute() + + def set_nisdomain(self, nisdomain): + # Let authconfig setup the permanent configuration + auth_config = RedHatAuthConfig() + auth_config.add_parameter("nisdomain", nisdomain) + auth_config.execute() + + def modify_nsswitch_pam_stack(self, sssd, mkhomedir, statestore): + auth_config = RedHatAuthConfig() + + if sssd: + statestore.backup_state('authconfig', 'sssd', True) + statestore.backup_state('authconfig', 'sssdauth', True) + auth_config.enable("sssd") + auth_config.enable("sssdauth") + else: + statestore.backup_state('authconfig', 'ldap', True) + auth_config.enable("ldap") + auth_config.enable("forcelegacy") + + if mkhomedir: + statestore.backup_state('authconfig', 'mkhomedir', True) + auth_config.enable("mkhomedir") + + auth_config.execute() + + def modify_pam_to_use_krb5(self, statestore): + auth_config = RedHatAuthConfig() + statestore.backup_state('authconfig', 'krb5', True) + auth_config.enable("krb5") + auth_config.add_option("nostart") + auth_config.execute() + + def insert_ca_certs_into_systemwide_ca_store(self, ca_certs): + new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + + if os.path.exists(new_cacert_path): + try: + os.remove(new_cacert_path) + except OSError, e: + root_logger.error( + "Could not remove %s: %s", new_cacert_path, e) + return False + + new_cacert_path = paths.IPA_P11_KIT + + try: + f = open(new_cacert_path, 'w') + except IOError, e: + root_logger.info("Failed to open %s: %s" % (new_cacert_path, e)) + return False + + f.write("# This file was created by IPA. Do not edit.\n" + "\n") + + has_eku = set() + for cert, nickname, trusted, ext_key_usage in ca_certs: + try: + subject = x509.get_der_subject(cert, x509.DER) + issuer = x509.get_der_issuer(cert, x509.DER) + serial_number = x509.get_der_serial_number(cert, x509.DER) + public_key_info = x509.get_der_public_key_info(cert, x509.DER) + except (NSPRError, PyAsn1Error), e: + root_logger.warning( + "Failed to decode certificate \"%s\": %s", nickname, e) + continue + + label = urllib.quote(nickname) + subject = urllib.quote(subject) + issuer = urllib.quote(issuer) + serial_number = urllib.quote(serial_number) + public_key_info = urllib.quote(public_key_info) + + cert = base64.b64encode(cert) + cert = x509.make_pem(cert) + + obj = ("[p11-kit-object-v1]\n" + "class: certificate\n" + "certificate-type: x-509\n" + "certificate-category: authority\n" + "label: \"%(label)s\"\n" + "subject: \"%(subject)s\"\n" + "issuer: \"%(issuer)s\"\n" + "serial-number: \"%(serial_number)s\"\n" + "x-public-key-info: \"%(public_key_info)s\"\n" % + dict(label=label, + subject=subject, + issuer=issuer, + serial_number=serial_number, + public_key_info=public_key_info)) + if trusted is True: + obj += "trusted: true\n" + elif trusted is False: + obj += "x-distrusted: true\n" + obj += "%s\n\n" % cert + f.write(obj) + + if ext_key_usage is not None and public_key_info not in has_eku: + if not ext_key_usage: + ext_key_usage = {x509.EKU_PLACEHOLDER} + try: + ext_key_usage = x509.encode_ext_key_usage(ext_key_usage) + except PyAsn1Error, e: + root_logger.warning( + "Failed to encode extended key usage for \"%s\": %s", + nickname, e) + continue + value = urllib.quote(ext_key_usage) + obj = ("[p11-kit-object-v1]\n" + "class: x-certificate-extension\n" + "label: \"ExtendedKeyUsage for %(label)s\"\n" + "x-public-key-info: \"%(public_key_info)s\"\n" + "object-id: 2.5.29.37\n" + "value: \"%(value)s\"\n\n" % + dict(label=label, + public_key_info=public_key_info, + value=value)) + f.write(obj) + has_eku.add(public_key_info) + + f.close() + + # Add the CA to the systemwide CA trust database + try: + ipautil.run([paths.UPDATE_CA_TRUST]) + except CalledProcessError, e: + root_logger.info("Failed to add CA to the systemwide " + "CA trust database: %s" % str(e)) + else: + root_logger.info('Added the CA to the systemwide CA trust ' + 'database.') + return True + + return False + + def remove_ca_certs_from_systemwide_ca_store(self): + ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt') + update = False + + # Remove CA cert from systemwide store + for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt): + if not os.path.exists(new_cacert_path): + continue + try: + os.remove(new_cacert_path) + except OSError, e: + root_logger.error( + "Could not remove %s: %s", new_cacert_path, e) + else: + update = True + + if update: + try: + ipautil.run([paths.UPDATE_CA_TRUST]) + except CalledProcessError, e: + root_logger.error( + "Could not update systemwide CA trust database: %s", e) + return False + else: + root_logger.info("Systemwide CA database updated.") + return True + + return False + + def backup_and_replace_hostname(self, fstore, statestore, hostname): + old_hostname = socket.gethostname() + try: + ipautil.run([paths.BIN_HOSTNAME, hostname]) + except ipautil.CalledProcessError, e: + print >>sys.stderr, ("Failed to set this machine hostname to " + "%s (%s)." % (hostname, str(e))) + + filepath = paths.ETC_HOSTNAME + if os.path.exists(filepath): + # read old hostname + with open(filepath, 'r') as f: + for line in f.readlines(): + line = line.strip() + if not line or line.startswith('#'): + # skip comment or empty line + continue + old_hostname = line + break + fstore.backup_file(filepath) + + with open(filepath, 'w') as f: + f.write("%s\n" % hostname) + os.chmod(filepath, + stat.S_IRUSR | stat.S_IWUSR | stat.S_IRGRP | stat.S_IROTH) + os.chown(filepath, 0, 0) + self.restore_context(filepath) + + # store old hostname + statestore.backup_state('network', 'hostname', old_hostname) + + def restore_network_configuration(self, fstore, statestore): + old_filepath = paths.SYSCONFIG_NETWORK + old_hostname = statestore.get_state('network', 'hostname') + hostname_was_configured = False + + if fstore.has_file(old_filepath): + # This is Fedora >=18 instance that was upgraded from previous + # Fedora version which held network configuration + # in /etc/sysconfig/network + old_filepath_restore = paths.SYSCONFIG_NETWORK_IPABKP + fstore.restore_file(old_filepath, old_filepath_restore) + print "Deprecated configuration file '%s' was restored to '%s'" \ + % (old_filepath, old_filepath_restore) + hostname_was_configured = True + + filepath = paths.ETC_HOSTNAME + if fstore.has_file(filepath): + fstore.restore_file(filepath) + hostname_was_configured = True + + if not hostname_was_configured and old_hostname: + # hostname was not configured before but was set by IPA. Delete + # /etc/hostname to restore previous configuration + try: + os.remove(filepath) + except OSError: + pass + + def set_selinux_booleans(self, required_settings, backup_func=None): + def get_setsebool_args(changes): + args = [paths.SETSEBOOL, "-P"] + args.extend(["%s=%s" % update for update in changes.iteritems()]) + + return args + + if not selinux_enabled(): + return False + + updated_vars = {} + failed_vars = {} + for setting, state in required_settings.iteritems(): + try: + (stdout, stderr, rc) = ipautil.run([paths.GETSEBOOL, setting]) + original_state = stdout.split()[2] + if backup_func is not None: + backup_func(setting, original_state) + + if original_state != state: + updated_vars[setting] = state + except ipautil.CalledProcessError, e: + log.error("Cannot get SELinux boolean '%s': %s", setting, e) + failed_vars[setting] = state + + if updated_vars: + args = get_setsebool_args(updated_vars) + try: + ipautil.run(args) + except ipautil.CalledProcessError: + failed_vars.update(updated_vars) + + if failed_vars: + raise ipapython.errors.SetseboolError( + failed=failed_vars, + command=' '.join(get_setsebool_args(failed_vars))) + + return True + + +tasks = RedHatTaskNamespace() -- cgit