[Freeipa-devel] [PATCH] Handle selinux failure

Karl MacMillan kmacmill at redhat.com
Thu Oct 25 15:00:58 UTC 2007 

On Wed, 2007-10-24 at 11:37 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > # HG changeset patch
> > # User "Karl MacMillan <kmacmill at redhat.com>"
> > # Date 1193235029 14400
> > # Node ID 9ff6cec98d764acbaefe915e0da63d29cd72cea1
> > # Parent  d474654ca48ff4d36dffca6a94ac88ed0e441586
> > Handle selinux failure
> > 
> > Ignore errors if setsebool fails and print a warning.
> > 
> > diff -r d474654ca48f -r 9ff6cec98d76 ipa-server/ipa-install/ipa-server-install
> > --- a/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:04:43 2007 -0400
> > +++ b/ipa-server/ipa-install/ipa-server-install	Wed Oct 24 10:10:29 2007 -0400
> > @@ -554,7 +554,16 @@ def main():
> >  
> >          if selinux:
> >              # Allow apache to connect to the turbogears web gui
> > -            run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > +            # This can still fail even if selinux is enabled
> > +            try:
> > +                run(["/usr/sbin/setsebool", "-P", "httpd_can_network_connect", "true"])
> > +            except:
> > +                print "WARNING: could not set selinux boolean httpd_can_network_connect to true."
> > +                print "The web interface may not function correctly until this boolean is"
> > +                print "successfully change with the command:"
> > +                print "   /usr/sbin/setsebool -P httpd_can_network_connect true"
> > +                print "Try updating the policycoreutils and selinux-policy packages."
> > +                pass
> >  
> >          # Start the web gui
> >          run(["/sbin/service", "ipa-webgui", "start"])
> 
> Um, shouldn't we just have some minimum required version? If we know a 
> setup isn't going to work should we really let them proceed?
> 

Yes - we should set the minimum version (I'll send a patch), but there
are other reasons this could fail. So we should still catch the error
and issue a warning.

A good example of an error that is still possible is that there might be
a fully custom policy on the system. In that case the error will be
somewhat wrong, but should tell someone experienced enough to have a
custom policy what that there may be an issue to deal with.

Karl

More information about the Freeipa-devel mailing list