[Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring
thierry bordaz
tbordaz at redhat.com
Fri Sep 26 09:57:11 UTC 2014
On 09/26/2014 11:23 AM, Martin Kosek wrote:
> On 09/25/2014 11:34 AM, thierry bordaz wrote:
>> On 09/25/2014 10:58 AM, Petr Viktorin wrote:
>>> On 09/24/2014 06:02 PM, thierry bordaz wrote:
>>>> On 08/15/2014 10:40 PM, Petr Viktorin wrote:
>>>>> A fix for https://fedorahosted.org/freeipa/ticket/4157
>>>>>
>>>>> This depends on my patches 0631-0632 (for backup/restore integration
>>>>> tests).
>>>>>
>>>>>
>>>>> Our setsebool code was repeated a few times. Instead of adding
>>>>> another
>>>>> copy, I refactored what we have into a platform task.
>>>>> I fixed two old setsebool tickets while I was at it:
>>>>> https://fedorahosted.org/freeipa/ticket/2519
>>>>> https://fedorahosted.org/freeipa/ticket/2934
>>>>>
>>>>> Since ipaplatform should not depend on ipalib, and I needed a new
>>>>> exception type, I added a new module, ipapython.errors. This might
>>>>> not
>>>>> be the best name, since it could be confused with ipalib.errors.
>>>>> Opinions welcome.
>>>>>
>>>>>
>>>>> As for the second patch: ideally, rather than what I do with `if
>>>>> 'ADTRUST' in self.backup_services`, we'd get the list of booleans
>>>>> directly from the *instance modules, or even tell the individual
>>>>> services to restore themselves. But, that refactoring looks like too
>>>>> much to do now.
>>>
>>> Filed easyfix: https://fedorahosted.org/freeipa/ticket/4571
>>>
>>>
>>>> The first patch looks good to me. Just a minor comment. The test
>>>> and run
>>>> of 'paths.SELINUXENABLED' is present several times in tasks.py and
>>>> fedora. Does it worth to refactor it ?
>>>>
>>>> About the second patch, something I do not understand.
>>>> restore_selinux_booleans resets the selinux boolean to the values that
>>>> are taken from SELINUX_BOOLEAN_SETTINGS in the instance (http/ad) .
>>>> Does
>>>> that mean this dict has been updated with the original values (using
>>>> 'backup_func' in set_selinux_booleans ?).
>>>
>>> This is restoring an IPA installation, not restoring the system to a
>>> pre-IPA
>>> state.
>>> The settings need to be the same as if IPA was being installed.
>>>
>>>
>> OK thanks for the explanation.
>
> Is this an ACK?
>
> Martin
>
Ho sorry, yes for me it is a ACK.
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140926/65da2b91/attachment.htm>
More information about the Freeipa-devel
mailing list