[Freeipa-devel] [PATCH] Handle selinux failure

Rob Crittenden rcritten at redhat.com
Thu Oct 25 15:32:43 UTC 2007 

Karl MacMillan wrote:
> On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> # HG changeset patch
>>> # User "Karl MacMillan <kmacmill at redhat.com>"
>>> # Date 1193235029 14400
>>> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
>>> # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
>>> Handle selinux failure
>>>
>>> Ignore errors if setsebool fails and print a warning.
>>>
>>> diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
>>> --- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
>>> +++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
>>> @@ -554,7 +554,16 @@ def main():
>>>  
>>>          if selinux:
>>>              # Allow apache to connect to the turbogears web gui
>>> -            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> +            # This can still fail even if selinux is enabled
>>> +            try:
>>> +                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> +            except:
>>> +                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
>>> +                print "The web interface may not function correctly until this boolean is"
>>> +                print "successfully change with the command:"
>>> +                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
>>> +                print "Try updating the policycoreutils and selinux-policy packages."
>>> +                pass
>>>  
>>>          # Start the web gui
>>>          run(["/sbin/service", "ipa-webgui", "start"])
>> Um, shouldn't we just have some minimum required version? If we know a 
>> setup isn't going to work should we really let them proceed?
>>
> 
> Yes - we should set the minimum version (I'll send a patch), but there
> are other reasons this could fail. So we should still catch the error
> and issue a warning.
> 
> A good example of an error that is still possible is that there might be
> a fully custom policy on the system. In that case the error will be
> somewhat wrong, but should tell someone experienced enough to have a
> custom policy what that there may be an issue to deal with.
> 
> Karl
> 

Ah ok, good points. Go ahead and push it then.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/43042686/attachment.bin>

More information about the Freeipa-devel mailing list