[Freeipa-devel] [PATCH] Handle selinux failure
Karl MacMillan
kmacmill at redhat.com
Thu Oct 25 15:00:58 UTC 2007
On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1193235029 14400
> > # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> > # Parent d474654ca48ff4d36dffca6a94ac88ed0e441586
> > Handle selinux failure
> >
> > Ignore errors if setsebool fails and print a warning.
> >
> > diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
> > --- a/ipa-server/ipa-install/ipa-server-install Wed Oct 24 10:04:43 2007 -0400
> > +++ b/ipa-server/ipa-install/ipa-server-install Wed Oct 24 10:10:29 2007 -0400
> > @@ -554,7 +554,16 @@ def main():
> >
> > if selinux:
> > # Allow apache to connect to the turbogears web gui
> > - run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > + # This can still fail even if selinux is enabled
> > + try:
> > + run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > + except:
> > + print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
> > + print "The web interface may not function correctly until this boolean is"
> > + print "successfully change with the command:"
> > + print " /usr/sbin/setsebool -P httpd_can_network_connect true"
> > + print "Try updating the policycoreutils and selinux-policy packages."
> > + pass
> >
> > # Start the web gui
> > run(["/sbin/service", "ipa-webgui", "start"])
>
> Um, shouldn't we just have some minimum required version? If we know a
> setup isn't going to work should we really let them proceed?
>
Yes - we should set the minimum version (I'll send a patch), but there
are other reasons this could fail. So we should still catch the error
and issue a warning.
A good example of an error that is still possible is that there might be
a fully custom policy on the system. In that case the error will be
somewhat wrong, but should tell someone experienced enough to have a
custom policy what that there may be an issue to deal with.
Karl
More information about the Freeipa-devel
mailing list