From bb6230389981ec286faf7bc631569bb475c4730d Mon Sep 17 00:00:00 2001 From: Thierry Bordaz Date: Feb 12 2020 17:16:02 +0000 Subject: ticket 50297 - prefix deployment -selinux +uid Bug Description: On prefix build, the defaultuser/defaultgroup is set to dirsrv. While the installed build belongs to the local user. By default selinux is True in general option. Selinux should be used only if if the instance['user'] = 'root'. If policycoreutils-python-utils is not installed, port can not be labelled. Fix Description: 'configure' supports two new options '--with-username' and '--with-groupname'. They replace the default value (dirsrv) in default.inf template file Set selinux=False if the user is not root and do not try to label a port if the running user is not root. If semanage is not found in the path, let's consider selinux_enable is False https://pagure.io/389-ds-base/issue/50297 Reviewed by: Mark Reynolds, William Brown, Matus Honek Platforms tested: F28 Flag Day: no Doc impact: no --- diff --git a/configure.ac b/configure.ac index 95772d7..f901979 100644 --- a/configure.ac +++ b/configure.ac @@ -511,8 +511,28 @@ configdir=/$PACKAGE_NAME/config schemadir=/$PACKAGE_NAME/schema # default user, group -defaultuser=dirsrv -defaultgroup=dirsrv +AC_MSG_CHECKING(for --with-username) +AC_ARG_WITH([username], + AS_HELP_STRING([--with-username=USERNAME], + [Name of the user running the instances]) +) +if test -n "$with_username"; then + AC_MSG_RESULT([$with_username]) + defaultuser=$with_username +else + defaultuser=dirsrv +fi +AC_MSG_CHECKING(for --with-groupname) +AC_ARG_WITH([groupname], + AS_HELP_STRING([--with-groupname=GROUPNAME], + [Group of the user running the instances]) +) +if test -n "$with_groupname"; then + AC_MSG_RESULT([$with_groupname]) + defaultgroup=$with_groupname +else + defaultgroup=dirsrv +fi AC_MSG_CHECKING(for --with-perldir) AC_ARG_WITH([perldir], diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in index 42fc09f..a0857c8 100644 --- a/ldap/admin/src/defaults.inf.in +++ b/ldap/admin/src/defaults.inf.in @@ -45,8 +45,8 @@ system_schema_dir = @systemschemadir@ tmpfiles_d = @tmpfiles_d@ ; These values can be altered in an installation of ds -user = dirsrv -group = dirsrv +user = @defaultuser@ +group = @defaultgroup@ root_dn = cn=Directory Manager schema_dir = @instconfigdir@/slapd-{instance_name}/schema diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py index c77c5a5..919d859 100644 --- a/src/lib389/lib389/__init__.py +++ b/src/lib389/lib389/__init__.py @@ -69,7 +69,8 @@ from lib389.utils import ( ensure_list_str, format_cmd_list, selinux_present, - selinux_label_port) + selinux_label_port, + get_user_is_root) from lib389.paths import Paths from lib389.nss_ssl import NssSsl from lib389.tasks import BackupTask, RestoreTask @@ -840,6 +841,9 @@ class DirSrv(SimpleLDAPObject, object): slapd_options.verify() slapd = slapd_options.collect() + if not slapd['user'] == 'root': + general['selinux'] = False + # In order to work by "default" for tests, we need to create a backend. backends = [] if self.creation_suffix is not None: @@ -1595,7 +1599,7 @@ class DirSrv(SimpleLDAPObject, object): self.config.set('nsslapd-security', 'on') self.use_ldaps_uri() - if selinux_present(): + if selinux_present() and get_user_is_root(): selinux_label_port(self.sslport) if self.ds_paths.perl_enabled: diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py index b3a7272..b031f3d 100644 --- a/src/lib389/lib389/utils.py +++ b/src/lib389/lib389/utils.py @@ -193,6 +193,10 @@ def selinux_present(): """ status = False + if not shutil.which("semanage"): + log.error('semanage command not found, will not relabel ports.' ) + return status + try: import selinux if selinux.is_selinux_enabled():