From 56196b28085b346b86b43662a1ba7fdaf7a2454b Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Apr 03 2012 22:21:09 +0000 Subject: Configure SELinux for httpd during upgrades SELinux configuration for httpd instance was set for new installations only. Upgraded IPA servers (namely 2.1.x -> 2.2.x upgrade) missed the configuration. This lead to AVCs when httpd tries to contact ipa_memcached and user not being able to log in. This patch updates ipa-upgradeconfig to configure SELinux in the same way as ipa-server-install does. https://fedorahosted.org/freeipa/ticket/2603 --- diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 40a2b68..a2a3024 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -163,7 +163,7 @@ def check_certs(): print "Missing Certification Authority file." print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt" -def upgrade_pki(): +def upgrade_pki(fstore): """ Update/add the dogtag proxy configuration. The IPA side of this is handled in ipa-pki-proxy.conf. @@ -173,7 +173,6 @@ def upgrade_pki(): if not os.path.exists('/etc/pki-ca/CS.cfg'): return - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') http = httpinstance.HTTPInstance(fstore) http.enable_mod_nss_renegotiate() if not installutils.get_directive('/etc/pki-ca/CS.cfg', @@ -222,13 +221,11 @@ def update_dbmodules(realm, filename="/etc/krb5.conf"): fd.write("".join(newfile)) fd.close() -def cleanup_kdc(): +def cleanup_kdc(fstore): """ Clean up old KDC files if they exist. We need to remove the actual file and any references in the uninstall configuration. """ - fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') - for file in ['kpasswd.keytab', 'ldappwd']: filename = '/var/kerberos/krb5kdc/%s' % file installutils.remove_file(filename) @@ -244,6 +241,14 @@ def upgrade_ipa_profile(realm): if ca.enable_subject_key_identifier(): ca.restart() +def upgrade_httpd_selinux(fstore): + """ + Update SElinux configuration for httpd instance in the same way as the + new server installation does. + """ + http = httpinstance.HTTPInstance(fstore) + http.configure_selinux_for_httpd() + def main(): """ Get some basics about the system. If getting those basics fail then @@ -254,6 +259,8 @@ def main(): if not os.geteuid()==0: sys.exit("\nYou must be root to run this script.\n") + fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + try: krbctx = krbV.default_context() except krbV.Krb5Error, e: @@ -274,12 +281,13 @@ def main(): upgrade(sub_dict, "/etc/httpd/conf.d/ipa.conf", ipautil.SHARE_DIR + "ipa.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-rewrite.conf", ipautil.SHARE_DIR + "ipa-rewrite.conf") upgrade(sub_dict, "/etc/httpd/conf.d/ipa-pki-proxy.conf", ipautil.SHARE_DIR + "ipa-pki-proxy.conf", add=True) - upgrade_pki() + upgrade_pki(fstore) update_dbmodules(krbctx.default_realm) uninstall_ipa_kpasswd() - http = httpinstance.HTTPInstance() + http = httpinstance.HTTPInstance(fstore) http.remove_httpd_ccache() + http.configure_selinux_for_httpd() memcache = memcacheinstance.MemcacheInstance() memcache.ldapi = True @@ -294,7 +302,7 @@ def main(): except (ldap.ALREADY_EXISTS, ipalib.errors.DuplicateEntry): pass - cleanup_kdc() + cleanup_kdc(fstore) upgrade_ipa_profile(krbctx.default_realm) try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index e46d4ed..0a09c26 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -86,7 +86,7 @@ class HTTPInstance(service.Service): self.step("publish CA cert", self.__publish_ca_cert) self.step("creating a keytab for httpd", self.__create_http_keytab) self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) - self.step("configuring SELinux for httpd", self.__selinux_config) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) self.step("restarting httpd", self.__start) self.step("configuring httpd to start on boot", self.__enable) @@ -103,7 +103,7 @@ class HTTPInstance(service.Service): # components as found in our LDAP configuration tree self.ldap_enable('HTTP', self.fqdn, self.dm_password, self.suffix) - def __selinux_config(self): + def configure_selinux_for_httpd(self): selinux = False try: if (os.path.exists('/usr/sbin/selinuxenabled')):