Thursday, June 30, 2016

[389-commits] admserv/newinst

admserv/newinst/src/AdminServer.pm.in | 93 +++++++++++++++++-----------------
1 file changed, 48 insertions(+), 45 deletions(-)

New commits:
commit 283434ca9e71fb385f390039763a68882930b42d
Author: Mark Reynolds <mreynolds@redhat.com>
Date: Thu Jun 30 10:03:27 2016 -0400

Ticket 48306 - perl module conditional test is not conditional when checking SELinux policies

Description: If sestatus reports SELinux is disabled, SELinux commands
such as semanage and restorecon fail. This patch checks the
availability and only if the status says SELinux is enabled,
it calls the SELinux commands.

https://fedorahosted.org/389/ticket/48306

Reviewed by: nhosoi(Thanks!)

diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in
index 480fb3a..9b605e5 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -104,6 +104,17 @@ sub checkRequiredParameters {
return 1;
}

+sub usingSELinux {
+ my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL ");
+
+ if ((getLogin() eq 'root') and "@with_selinux@" and -f "@sbindir@/sestatus" and
+ !system ("@sbindir@/sestatus | egrep -i \"selinux status:\\s*enabled\" > $mydevnull 2>&1")) {
+ # We are using SELinux
+ return 1;
+ }
+ return 0;
+}
+
sub setFileOwnerPerms {
my $setup = shift;
my $configdir = shift;
@@ -470,11 +481,8 @@ sub startAdminServer {

# If we're using selinux, start the server with the proper context
# to allow the process to transition to the proper domain.
- if ("@with_selinux@") {
- $rc = system("/usr/sbin/selinuxenabled");
- if ($rc == 0) {
- $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t";
- }
+ if (usingSELinux()) {
+ $selinux_cmd = "runcon -u system_u -r system_r -t initrc_t";
}

if ($isrunning) {
@@ -736,7 +744,7 @@ sub removeAdminServer {
my $rundir = $ENV{ADMSERV_PID_DIR} || "@piddir@";

# Need to unlabel the port if we're using SELinux.
- if ("@with_selinux@") {
+ if (usingSELinux()) {
my $port;

# Read the console.conf file to find the port number.
@@ -783,29 +791,26 @@ sub removeAdminServer {
# turn off the switch to allow admin server to connect to the ldap port
$? = 0; # clear error

- $rc = system("/usr/sbin/selinuxenabled");
- if ($rc == 0) {
- my $cmd = "getsebool httpd_can_connect_ldap";
- my $output = `$cmd 2>&1`;
+ my $cmd = "getsebool httpd_can_connect_ldap";
+ my $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
+ # this version of selinux does not support the boolean value
+ debug(1, "This version of selinux does not support httpd_can_connect_ldap\n");
+ } elsif ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
+ } elsif ($output =~ /on$/) {
+ $cmd = "setsebool -P httpd_can_connect_ldap off";
+ $? = 0; # clear error
+ $output = `$cmd 2>&1`;
chomp($output);
- if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
- # this version of selinux does not support the boolean value
- debug(1, "This version of selinux does not support httpd_can_connect_ldap\n");
- } elsif ($?) {
+ if ($?) {
$setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
- } elsif ($output =~ /on$/) {
- $cmd = "setsebool -P httpd_can_connect_ldap off";
- $? = 0; # clear error
- $output = `$cmd 2>&1`;
- chomp($output);
- if ($?) {
- $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
- } else {
- debug(1, "$cmd was successful\n");
- }
} else {
- debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n");
+ debug(1, "$cmd was successful\n");
}
+ } else {
+ debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n");
}
}

@@ -873,7 +878,7 @@ sub updateSelinuxPolicy {
my $rundir = shift;

# if selinux is not available, do nothing
- if ("@with_selinux@") {
+ if (usingSELinux()) {
# run restorecon on all directories we created
system("restorecon -R $configdir $securitydir $logdir $rundir");

@@ -900,29 +905,27 @@ sub updateSelinuxPolicy {

# turn on the switch to allow admin server to connect to the ldap port
$? = 0; # clear error
- $rc = system("/usr/sbin/selinuxenabled");
- if ($rc == 0) {
- my $cmd = "getsebool httpd_can_connect_ldap";
- my $output = `$cmd 2>&1`;
+
+ my $cmd = "getsebool httpd_can_connect_ldap";
+ my $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
+ # this version of selinux does not support the boolean value
+ debug(1, "This version of selinux does not support httpd_can_connect_ldap\n");
+ } elsif ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
+ } elsif ($output =~ /off$/) {
+ $cmd = "setsebool -P httpd_can_connect_ldap on";
+ $? = 0; # clear error
+ $output = `$cmd 2>&1`;
chomp($output);
- if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
- # this version of selinux does not support the boolean value
- debug(1, "This version of selinux does not support httpd_can_connect_ldap\n");
- } elsif ($?) {
+ if ($?) {
$setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
- } elsif ($output =~ /off$/) {
- $cmd = "setsebool -P httpd_can_connect_ldap on";
- $? = 0; # clear error
- $output = `$cmd 2>&1`;
- chomp($output);
- if ($?) {
- $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!);
- } else {
- debug(1, "$cmd was successful\n");
- }
} else {
- debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n");
+ debug(1, "$cmd was successful\n");
}
+ } else {
+ debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n");
}
}
}

--
389-commits mailing list
389-commits@lists.fedoraproject.org
https://lists.fedoraproject.org/admin/lists/389-commits@lists.fedoraproject.org

No comments:

Post a Comment