From 9a427f0bda168d6432f050ec344b72aacd411e84 Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Thu, 30 Jun 2016 10:03:27 -0400 Subject: [PATCH] Ticket 48306 - perl module conditional test is not conditional when checking SELinux policies Description: If sestatus reports SELinux is disabled, SELinux commands such as semanage and restorecon fail. This patch checks the availability and only if the status says SELinux is enabled, it calls the SELinux commands. https://fedorahosted.org/389/ticket/48306 Reviewed by: ? --- admserv/newinst/src/AdminServer.pm.in | 93 ++++++++++++++++++----------------- 1 file changed, 48 insertions(+), 45 deletions(-) diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in index 480fb3a..9b605e5 100644 --- a/admserv/newinst/src/AdminServer.pm.in +++ b/admserv/newinst/src/AdminServer.pm.in @@ -104,6 +104,17 @@ sub checkRequiredParameters { return 1; } +sub usingSELinux { + my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); + + if ((getLogin() eq 'root') and "@with_selinux@" and -f "@sbindir@/sestatus" and + !system ("@sbindir@/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) { + # We are using SELinux + return 1; + } + return 0; +} + sub setFileOwnerPerms { my $setup = shift; my $configdir = shift; @@ -470,11 +481,8 @@ sub startAdminServer { # If we're using selinux, start the server with the proper context # to allow the process to transition to the proper domain. - if ("@with_selinux@") { - $rc = system("/usr/sbin/selinuxenabled"); - if ($rc == 0) { - $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t"; - } + if (usingSELinux()) { + $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t"; } if ($isrunning) { @@ -736,7 +744,7 @@ sub removeAdminServer { my $rundir = $ENV{ADMSERV_PID_DIR} || "@piddir@"; # Need to unlabel the port if we're using SELinux. - if ("@with_selinux@") { + if (usingSELinux()) { my $port; # Read the console.conf file to find the port number. @@ -783,29 +791,26 @@ sub removeAdminServer { # turn off the switch to allow admin server to connect to the ldap port $? = 0; # clear error - $rc = system("/usr/sbin/selinuxenabled"); - if ($rc == 0) { - my $cmd = "getsebool httpd_can_connect_ldap"; - my $output = `$cmd 2>&1`; + my $cmd = "getsebool httpd_can_connect_ldap"; + my $output = `$cmd 2>&1`; + chomp($output); + if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { + # this version of selinux does not support the boolean value + debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); + } elsif ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } elsif ($output =~ /on$/) { + $cmd = "setsebool -P httpd_can_connect_ldap off"; + $? = 0; # clear error + $output = `$cmd 2>&1`; chomp($output); - if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { - # this version of selinux does not support the boolean value - debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); - } elsif ($?) { + if ($?) { $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } elsif ($output =~ /on$/) { - $cmd = "setsebool -P httpd_can_connect_ldap off"; - $? = 0; # clear error - $output = `$cmd 2>&1`; - chomp($output); - if ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } else { - debug(1, "$cmd was successful\n"); - } } else { - debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n"); + debug(1, "$cmd was successful\n"); } + } else { + debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n"); } } @@ -873,7 +878,7 @@ sub updateSelinuxPolicy { my $rundir = shift; # if selinux is not available, do nothing - if ("@with_selinux@") { + if (usingSELinux()) { # run restorecon on all directories we created system("restorecon -R $configdir $securitydir $logdir $rundir"); @@ -900,29 +905,27 @@ sub updateSelinuxPolicy { # turn on the switch to allow admin server to connect to the ldap port $? = 0; # clear error - $rc = system("/usr/sbin/selinuxenabled"); - if ($rc == 0) { - my $cmd = "getsebool httpd_can_connect_ldap"; - my $output = `$cmd 2>&1`; + + my $cmd = "getsebool httpd_can_connect_ldap"; + my $output = `$cmd 2>&1`; + chomp($output); + if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { + # this version of selinux does not support the boolean value + debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); + } elsif ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } elsif ($output =~ /off$/) { + $cmd = "setsebool -P httpd_can_connect_ldap on"; + $? = 0; # clear error + $output = `$cmd 2>&1`; chomp($output); - if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { - # this version of selinux does not support the boolean value - debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); - } elsif ($?) { + if ($?) { $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } elsif ($output =~ /off$/) { - $cmd = "setsebool -P httpd_can_connect_ldap on"; - $? = 0; # clear error - $output = `$cmd 2>&1`; - chomp($output); - if ($?) { - $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); - } else { - debug(1, "$cmd was successful\n"); - } } else { - debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n"); + debug(1, "$cmd was successful\n"); } + } else { + debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n"); } } } -- 2.4.11