PR#50448: ticket 50297 - prefix deployment -selinux +uid - 389-ds-base

389-ds-base

#50448 ticket 50297 - prefix deployment -selinux +uid

Closed 3 years ago by spichugi. Opened 4 years ago by tbordaz.

tbordaz/389-ds-base ticket_50297 into master

ticket 50297 - prefix deployment -selinux +uid

Thierry Bordaz • 4 years ago

bb62303

configure.ac

file modified

+22 -2

		`@@ -511,8 +511,28 @@`
		`schemadir=/$PACKAGE_NAME/schema`

		`# default user, group`
		`- defaultuser=dirsrv`
		`- defaultgroup=dirsrv`
		`+ AC_MSG_CHECKING(for --with-username)`
		`+ AC_ARG_WITH([username],`
		`+ AS_HELP_STRING([--with-username=USERNAME],`
		`+ [Name of the user running the instances])`
		`+ )`
		`+ if test -n "$with_username"; then`
		`+ AC_MSG_RESULT([$with_username])`
		`+ defaultuser=$with_username`
		`+ else`
		`+ defaultuser=dirsrv`
		`+ fi`
		`+ AC_MSG_CHECKING(for --with-groupname)`
		`+ AC_ARG_WITH([groupname],`
		`+ AS_HELP_STRING([--with-groupname=GROUPNAME],`
		`+ [Group of the user running the instances])`
		`+ )`
		`+ if test -n "$with_groupname"; then`
		`+ AC_MSG_RESULT([$with_groupname])`
		`+ defaultgroup=$with_groupname`
		`+ else`
		`+ defaultgroup=dirsrv`
		`+ fi`

		`AC_MSG_CHECKING(for --with-perldir)`
		`AC_ARG_WITH([perldir],`

ldap/admin/src/defaults.inf.in

file modified

+2 -2

		`@@ -45,8 +45,8 @@`
		`tmpfiles_d = @tmpfiles_d@`

		`; These values can be altered in an installation of ds`
		`- user = dirsrv`
		`- group = dirsrv`
		`+ user = @defaultuser@`
		`+ group = @defaultgroup@`
		`root_dn = cn=Directory Manager`

		`schema_dir = @instconfigdir@/slapd-{instance_name}/schema`

src/lib389/lib389/__init__.py

file modified

+6 -2

		`@@ -69,7 +69,8 @@`
		`ensure_list_str,`
		`format_cmd_list,`
		`selinux_present,`
		`- selinux_label_port)`
		`+ selinux_label_port,`
		`+ get_user_is_root)`
		`from lib389.paths import Paths`
		`from lib389.nss_ssl import NssSsl`
		`from lib389.tasks import BackupTask, RestoreTask`
		`@@ -840,6 +841,9 @@`
		`slapd_options.verify()`
		`slapd = slapd_options.collect()`

		`+ if not slapd['user'] == 'root':`
		`+ general['selinux'] = False`
		`+`
		`# In order to work by "default" for tests, we need to create a backend.`
		`backends = []`
		`if self.creation_suffix is not None:`
		`@@ -1595,7 +1599,7 @@`
		`self.config.set('nsslapd-security', 'on')`
		`self.use_ldaps_uri()`

		`- if selinux_present():`
		`+ if selinux_present() and get_user_is_root():`
		`selinux_label_port(self.sslport)`

		`if self.ds_paths.perl_enabled:`

src/lib389/lib389/utils.py

file modified

		`@@ -193,6 +193,10 @@`
		`"""`
		`status = False`

		`+ if not shutil.which("semanage"):`
		`+ log.error('semanage command not found, will not relabel ports.' )`
		`+ return status`
		`+`
		`try:`
		`import selinux`
		`if selinux.is_selinux_enabled():`

tbordaz commented 4 years ago

Bug Description:
On prefix build, the defaultuser/defaultgroup is set to dirsrv.
While the installed build belongs to the local user.

By default selinux is True in general option. Selinux should be true
only if if the instance['user'] = 'root'.

Fix Description:
Define defaultuser/defaultgroup as local user if in prefix deployment.
Set selinux=False if the user is not root

https://pagure.io/389-ds-base/issue/50297

Reviewed by: Mark Reynolds

Platforms tested: F28

Flag Day: no

Doc impact: no

firstyear commented on line 6 of configure.ac 4 years ago

I'm worried about this here, because this will cause the obs build service to put the prefix user to abuild instead of dirsrv. Should this instead default to dirsrv and you override it with "--prefixuser=..." at ./configure instead?

firstyear commented 4 years ago

Otherwise everything else looks pretty good to me!

firstyear commented on line 6 of src/lib389/lib389/__init__.py 4 years ago

Okay, second comment: This is not the right place: we should be checking if current running user == root, in utils.py: selinux_present(), and only if root is true, do we continue to check. We also need to check that semanage is present in the selinux_present function as well to work with setups that do not have that but are running as root

rebased onto 6b08e590c23673f5bf39a2b42efa9a22d7447145

4 years ago

rebased onto 38b49c07d3fb1f50d8d8b7725d12bb25605d2f89

4 years ago

mreynolds commented on line 13 of src/lib389/lib389/utils.py 4 years ago

Should this be a debug message? This check is above where we are doing other selinux checks, should this be moved lower in the function? I'm not sure, just asking...

firstyear commented 4 years ago

Yes should be a debug message, otherwise the rest looks reasonable, thanks for the changes @tbordaz :) I'll leave @mreynolds to give his approval.

rebased onto 495207017f0996d5a71065b0f7997fea2b0cf663

4 years ago

tbordaz commented 4 years ago

Indeed it is a debug message as the command will succeed but the command will not label the port (because policycoreutils-python-utils is not installed)

selinux_present is called to decide if the port needs to be labeled or not.
This requires both semanage to be installed and selinux to be enabled. I think we can do the test the over way around the important step being the status=True if both conditions are tested.