[Freeipa-devel] [PATCH] Handle selinux failure
Rob Crittenden
rcritten at redhat.com
Thu Oct 25 15:32:43 UTC 2007
Karl MacMillan wrote:
> On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> # HG changeset patch
>>> # User "Karl MacMillan <kmacmill at redhat.com>"
>>> # Date 1193235029 14400
>>> # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
>>> # Parent d474654ca48ff4d36dffca6a94ac88ed0e441586
>>> Handle selinux failure
>>>
>>> Ignore errors if setsebool fails and print a warning.
>>>
>>> diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
>>> --- a/ipa-server/ipa-install/ipa-server-install Wed Oct 24 10:04:43 2007 -0400
>>> +++ b/ipa-server/ipa-install/ipa-server-install Wed Oct 24 10:10:29 2007 -0400
>>> @@ -554,7 +554,16 @@ def main():
>>>
>>> if selinux:
>>> # Allow apache to connect to the turbogears web gui
>>> - run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> + # This can still fail even if selinux is enabled
>>> + try:
>>> + run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
>>> + except:
>>> + print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
>>> + print "The web interface may not function correctly until this boolean is"
>>> + print "successfully change with the command:"
>>> + print " /usr/sbin/setsebool -P httpd_can_network_connect true"
>>> + print "Try updating the policycoreutils and selinux-policy packages."
>>> + pass
>>>
>>> # Start the web gui
>>> run(["/sbin/service", "ipa-webgui", "start"])
>> Um, shouldn't we just have some minimum required version? If we know a
>> setup isn't going to work should we really let them proceed?
>>
>
> Yes - we should set the minimum version (I'll send a patch), but there
> are other reasons this could fail. So we should still catch the error
> and issue a warning.
>
> A good example of an error that is still possible is that there might be
> a fully custom policy on the system. In that case the error will be
> somewhat wrong, but should tell someone experienced enough to have a
> custom policy what that there may be an issue to deal with.
>
> Karl
>
Ah ok, good points. Go ahead and push it then.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071025/43042686/attachment.bin>
More information about the Freeipa-devel
mailing list