[Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled

Rob Crittenden Fri, 18 May 2012 08:54:42 -0700

We don't have an explicit requires on the policycoreutils package in theclient because SELinux is not required (just recommended).

SELinux can be enabled without this package so check for that conditionand don't allow installation if it is the case. The resulting installwill be rather broken.

Also check on the server when installing. This should never happen butin theory it could do the server install then fail in the client becauseof this.

rob

>From 4dd818ed5d194add8dfccc8dc854067d089ad400 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Fri, 18 May 2012 11:37:11 -0400
Subject: [PATCH] If SELinux is enabled ensure we also have /sbin/restorecon.

We don't have a specific requires on the policycoreutils package. It
gets pulled in as a dependency on the server anyway, but checking
there is like a belt and suspenders.

On the client we don't require SELinux at all. If SELinux is enabled
however we need /sbin/restorecon to set things up properly. This is
provided by the policycoreutils package so fail if that isn't available.

https://fedorahosted.org/freeipa/ticket/2368
---
 install/tools/ipa-replica-install         |    1 +
 install/tools/ipa-server-install          |    2 +
 ipa-client/ipa-install/ipa-client-install |    1 +
 ipapython/platform/fedora16.py            |   23 ++++++++++----
 ipapython/platform/redhat.py              |   46 ++++++++++++++++++++++++----
 5 files changed, 59 insertions(+), 14 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 83c1324215433a83c81650bfcf2cd860b86772d4..d3716204aa815f063f2c830ab91edc06e7e6fec3 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -276,6 +276,7 @@ def check_bind():
         sys.exit(1)
 
 def main():
+    ipaservices.check_selinux_status()
     safe_options, options, filename = parse_options()
     standard_logging_setup("/var/log/ipareplica-install.log", debug=options.debug)
     root_logger.debug('%s was invoked with argument "%s" and options: %s' % (sys.argv[0], filename, safe_options))
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 1dd02ba870a02e902c4c345d9f5802ef09f78a7a..f789a6ceb795ff6b93903f1b8867c9bd07b228ec 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -529,6 +529,8 @@ def main():
     if os.getegid() != 0:
         sys.exit("Must be root to set up server")
 
+    ipaservices.check_selinux_status()
+
     signal.signal(signal.SIGTERM, signal_handler)
     signal.signal(signal.SIGINT, signal_handler)
 
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 67279b3ed8ae8a25e845ccbcce7143efcaf6d467..c3e9f81ddc43fd7ac8965d4901795daa90e74d40 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1543,6 +1543,7 @@ def main():
 
     if not os.getegid() == 0:
         sys.exit("\nYou must be root to run ipa-client-install.\n")
+    ipaservices.check_selinux_status()
     logging_setup(options)
     root_logger.debug('%s was invoked with options: %s' % (sys.argv[0], safe_options))
     root_logger.debug("missing options might be asked for interactively later\n")
diff --git a/ipapython/platform/fedora16.py b/ipapython/platform/fedora16.py
index 2d0ede99adc8853db77bfd72719c0067c23b29c5..fabdce72ae161f7666ecfbdf121880c181468595 100644
--- a/ipapython/platform/fedora16.py
+++ b/ipapython/platform/fedora16.py
@@ -22,13 +22,21 @@ from ipapython.platform import base, redhat, systemd
 import os
 
 # All what we allow exporting directly from this module
-# Everything else is made available through these symbols when they directly imported into ipapython.services:
-# authconfig -- class reference for platform-specific implementation of authconfig(8)
-# service    -- class reference for platform-specific implementation of a PlatformService class
-# knownservices -- factory instance to access named services IPA cares about, names are ipapython.services.wellknownservices
-# backup_and_replace_hostname -- platform-specific way to set hostname and make it persistent over reboots
-# restore_context -- platform-sepcific way to restore security context, if applicable
-__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context']
+# Everything else is made available through these symbols when they directly
+# imported into ipapython.services:
+# authconfig -- class reference for platform-specific implementation of
+#               authconfig(8)
+# service    -- class reference for platform-specific implementation of a
+#               PlatformService class
+# knownservices -- factory instance to access named services IPA cares about,
+#                  names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and
+#                                make it persistent over reboots
+# restore_context -- platform-sepcific way to restore security context, if
+#                    applicable
+# check_selinux_status -- platform-specific way to see if SELinux is enabled
+#                         and restorecon is installed.
+__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status']
 
 # For beginning just remap names to add .service
 # As more services will migrate to systemd, unit names will deviate and
@@ -127,3 +135,4 @@ service = f16_service
 knownservices = Fedora16Services()
 restore_context = redhat.restore_context
 backup_and_replace_hostname = redhat.backup_and_replace_hostname
+check_selinux_status = redhat.check_selinux_status
diff --git a/ipapython/platform/redhat.py b/ipapython/platform/redhat.py
index bd79a5312eab1621aa575c3fe98577a65a86f3a9..76db958f046a7ddaf6e1e1e584308c6b5b7ef7af 100644
--- a/ipapython/platform/redhat.py
+++ b/ipapython/platform/redhat.py
@@ -28,13 +28,22 @@ from ipapython import ipautil
 from ipapython.platform import base
 
 # All what we allow exporting directly from this module
-# Everything else is made available through these symbols when they directly imported into ipapython.services:
-# authconfig -- class reference for platform-specific implementation of authconfig(8)
-# service    -- class reference for platform-specific implementation of a PlatformService class
-# knownservices -- factory instance to access named services IPA cares about, names are ipapython.services.wellknownservices
-# backup_and_replace_hostname -- platform-specific way to set hostname and make it persistent over reboots
-# restore_context -- platform-sepcific way to restore security context, if applicable
-__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context']
+# Everything else is made available through these symbols when they directly
+# imported into ipapython.services:
+#
+# authconfig -- class reference for platform-specific implementation of
+#               authconfig(8)
+# service    -- class reference for platform-specific implementation of a
+#               PlatformService class
+# knownservices -- factory instance to access named services IPA cares about,
+#                  names are ipapython.services.wellknownservices
+# backup_and_replace_hostname -- platform-specific way to set hostname and
+#                                make it persistent over reboots
+# restore_context -- platform-sepcific way to restore security context, if
+#                    applicable
+# check_selinux_status -- platform-specific way to see if SELinux is enabled
+#                         and restorecon is installed.
+__all__ = ['authconfig', 'service', 'knownservices', 'backup_and_replace_hostname', 'restore_context', 'check_selinux_status']
 
 class RedHatService(base.PlatformService):
     def stop(self, instance_name="", capture_output=True):
@@ -168,3 +177,26 @@ def backup_and_replace_hostname(fstore, statestore, hostname):
         statestore.backup_state('network', 'hostname', old_values['HOSTNAME'])
     else:
         statestore.backup_state('network', 'hostname', old_hostname)
+
+def check_selinux_status():
+    """
+    We don't have a specific package requirement for policycoreutils
+    which provides /sbin/restorecon. This is because we don't require
+    SELinux on client installs. However if SELinux is enabled then
+    this package is required.
+
+    This function returns nothing but may raise a Runtime exception
+    if SELinux is enabled but /sbin/restorecon is not available.
+    """
+    try:
+        if (os.path.exists('/usr/sbin/selinuxenabled')):
+            ipautil.run(["/usr/sbin/selinuxenabled"])
+        else:
+            # No selinuxenabled, no SELinux
+            return
+    except ipautil.CalledProcessError:
+        # selinuxenabled returns 1 if not enabled
+        return
+
+    if not os.path.exists('/sbin/restorecon'):
+        raise RuntimeError('SELinux is enabled but /sbin/restorecon does not exist.\nInstall the policycoreutils package and start the installation again.')
-- 
1.7.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 1019 require policycoreutils if SELinux is enabled

Reply via email to