[Freeipa-devel] [PATCHES] 0633-0634 Move setting SELinux booleans to platform code; Set SELinux booleans when restoring
Martin Kosek
mkosek at redhat.com
Fri Sep 26 10:16:37 UTC 2014
On 09/26/2014 11:57 AM, thierry bordaz wrote:
> On 09/26/2014 11:23 AM, Martin Kosek wrote:
>> On 09/25/2014 11:34 AM, thierry bordaz wrote:
>>> On 09/25/2014 10:58 AM, Petr Viktorin wrote:
>>>> On 09/24/2014 06:02 PM, thierry bordaz wrote:
>>>>> On 08/15/2014 10:40 PM, Petr Viktorin wrote:
>>>>>> A fix for https://fedorahosted.org/freeipa/ticket/4157
>>>>>>
>>>>>> This depends on my patches 0631-0632 (for backup/restore integration
>>>>>> tests).
>>>>>>
>>>>>>
>>>>>> Our setsebool code was repeated a few times. Instead of adding another
>>>>>> copy, I refactored what we have into a platform task.
>>>>>> I fixed two old setsebool tickets while I was at it:
>>>>>> https://fedorahosted.org/freeipa/ticket/2519
>>>>>> https://fedorahosted.org/freeipa/ticket/2934
>>>>>>
>>>>>> Since ipaplatform should not depend on ipalib, and I needed a new
>>>>>> exception type, I added a new module, ipapython.errors. This might not
>>>>>> be the best name, since it could be confused with ipalib.errors.
>>>>>> Opinions welcome.
>>>>>>
>>>>>>
>>>>>> As for the second patch: ideally, rather than what I do with `if
>>>>>> 'ADTRUST' in self.backup_services`, we'd get the list of booleans
>>>>>> directly from the *instance modules, or even tell the individual
>>>>>> services to restore themselves. But, that refactoring looks like too
>>>>>> much to do now.
>>>>
>>>> Filed easyfix: https://fedorahosted.org/freeipa/ticket/4571
>>>>
>>>>
>>>>> The first patch looks good to me. Just a minor comment. The test and run
>>>>> of 'paths.SELINUXENABLED' is present several times in tasks.py and
>>>>> fedora. Does it worth to refactor it ?
>>>>>
>>>>> About the second patch, something I do not understand.
>>>>> restore_selinux_booleans resets the selinux boolean to the values that
>>>>> are taken from SELINUX_BOOLEAN_SETTINGS in the instance (http/ad) . Does
>>>>> that mean this dict has been updated with the original values (using
>>>>> 'backup_func' in set_selinux_booleans ?).
>>>>
>>>> This is restoring an IPA installation, not restoring the system to a pre-IPA
>>>> state.
>>>> The settings need to be the same as if IPA was being installed.
>>>>
>>>>
>>> OK thanks for the explanation.
>>
>> Is this an ACK?
>>
>> Martin
>>
> Ho sorry, yes for me it is a ACK.
>
> thierry
Ok, thanks.
Pushed to:
master: dea825fd9cdd36a6fa371b2a5e1d1f35c177c6ef
ipa-4-1: 9b5436cbb9d0ab0c4b5a46885d108fda1cdf1b6d
Martin
More information about the Freeipa-devel
mailing list