Yedidyah Bar David has uploaded a new change for review.
Change subject: packaging: setup: clean up selinux and move to common
......................................................................
packaging: setup: clean up selinux and move to common
Make all users use env and just a single plugin actually call selinux
commands.
Move to to common/base so it's available to others.
Change-Id: I7e2c7e6871cab4bed04186b8441b86d0476910f9
Signed-off-by: Yedidyah Bar David <d...@redhat.com>
---
M packaging/setup/ovirt_engine_setup/constants.py
R packaging/setup/plugins/ovirt-engine-common/base/system/selinux.py
M
packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/apache/selinux.py
M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/all-in-one/sshd.py
4 files changed, 48 insertions(+), 83 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/72/39672/1
diff --git a/packaging/setup/ovirt_engine_setup/constants.py
b/packaging/setup/ovirt_engine_setup/constants.py
index 1168fa0..98ee7fa 100644
--- a/packaging/setup/ovirt_engine_setup/constants.py
+++ b/packaging/setup/ovirt_engine_setup/constants.py
@@ -223,6 +223,8 @@
KEEP_ONLY_VALID_FIREWALL_MANAGERS = \
'osetup.keep.only.valid.firewall.managers'
+ SETUP_SELINUX = 'osetup.setup.selinux'
+
@util.export
@util.codegen
@@ -347,6 +349,7 @@
SELINUX_CONTEXTS = 'OVESETUP_SYSTEM/selinuxContexts'
SELINUX_RESTORE_PATHS = 'OVESETUP_SYSTEM/selinuxRestorePaths'
+ SELINUX_BOOLEANS = 'OVESETUP_SYSTEM/selinuxBooleans'
HOSTILE_SERVICES = 'OVESETUP_SYSTEM/hostileServices'
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/selinux.py
b/packaging/setup/plugins/ovirt-engine-common/base/system/selinux.py
similarity index 78%
rename from
packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/selinux.py
rename to packaging/setup/plugins/ovirt-engine-common/base/system/selinux.py
index ab4dd0b..df9fd65 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/system/selinux.py
+++ b/packaging/setup/plugins/ovirt-engine-common/base/system/selinux.py
@@ -25,7 +25,6 @@
from otopi import plugin, util
from ovirt_engine_setup import constants as osetupcons
-from ovirt_engine_setup.engine import constants as oenginecons
def _(m):
@@ -48,6 +47,7 @@
def _init(self):
self.environment[osetupcons.SystemEnv.SELINUX_CONTEXTS] = []
self.environment[osetupcons.SystemEnv.SELINUX_RESTORE_PATHS] = []
+ self.environment[osetupcons.SystemEnv.SELINUX_BOOLEANS] = []
@plugin.event(
stage=plugin.Stages.STAGE_SETUP,
@@ -64,12 +64,9 @@
priority=plugin.Stages.PRIORITY_HIGH,
)
def _validation_enable(self):
- self._enabled = (
- self.environment[oenginecons.CoreEnv.ENABLE] and
- not self.environment[
- osetupcons.CoreEnv.DEVELOPER_MODE
- ]
- )
+ self._enabled = not self.environment[
+ osetupcons.CoreEnv.DEVELOPER_MODE
+ ]
@plugin.event(
stage=plugin.Stages.STAGE_VALIDATION,
@@ -90,6 +87,7 @@
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
condition=lambda self: self._enabled,
+ name=osetupcons.Stages.SETUP_SELINUX,
priority=plugin.Stages.PRIORITY_LOW,
)
def _misc(self):
@@ -125,6 +123,26 @@
path=path
)
)
+ for entry in self.environment[osetupcons.SystemEnv.SELINUX_BOOLEANS]:
+ rc, stdout, stderr = self.execute(
+ (
+ self.command.get('semanage'),
+ 'boolean',
+ '--modify',
+ '--{state}'.format(state=entry['state'],
+ entry['boolean']
+ )
+ )
+ if rc != 0:
+ self.logger.error(
+ _(
+ 'Failed to modify selinux boolean {boolean}, please '
+ 'make sure it is set to {state}.'
+ ).format(
+ boolean=entry['boolean'],
+ state=entry['state'],
+ )
+ )
# vim: expandtab tabstop=4 shiftwidth=4
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/apache/selinux.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/apache/selinux.py
index 09da4e4..b6923a9 100644
---
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/apache/selinux.py
+++
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine-common/apache/selinux.py
@@ -37,66 +37,20 @@
def __init__(self, context):
super(Plugin, self).__init__(context=context)
- self._enabled = True
-
- @plugin.event(
- stage=plugin.Stages.STAGE_SETUP,
- )
- def _setup(self):
- self.command.detect('selinuxenabled')
- self.command.detect('semanage')
- self._enabled = not self.environment[
- osetupcons.CoreEnv.DEVELOPER_MODE
- ]
-
- @plugin.event(
- stage=plugin.Stages.STAGE_VALIDATION,
- condition=lambda self: self._enabled,
- priority=plugin.Stages.PRIORITY_HIGH
- )
- def _validation_enable(self):
- if not self.environment[oengcommcons.ApacheEnv.ENABLE]:
- self._enabled = False
-
- @plugin.event(
- stage=plugin.Stages.STAGE_VALIDATION,
- condition=lambda self: self._enabled,
- )
- def _validation(self):
- if self.command.get('selinuxenabled', optional=True) is None:
- self._enabled = False
- else:
- rc, stdout, stderr = self.execute(
- (
- self.command.get('selinuxenabled'),
- ),
- raiseOnError=False,
- )
- self._enabled = rc == 0
@plugin.event(
stage=plugin.Stages.STAGE_MISC,
- condition=lambda self: self._enabled,
+ before=(
+ osetupcons.Stages.SETUP_SELINUX,
+ ),
)
def _misc(self):
- command = (
- self.command.get('semanage'),
- 'boolean',
- '--modify',
- '--on',
- 'httpd_can_network_connect',
- )
- rc, stdout, stderr = self.execute(
- command,
- raiseOnError=False,
- )
- if rc != 0:
- self.logger.warning(
- _(
- 'Failed to modify httpd selinux context, please make '
- 'sure httpd_can_network_connect is set.'
- )
- )
+ self.environment[
+ osetupcons.SystemEnv.SELINUX_BOOLEANS
+ ].append({
+ 'boolean': 'httpd_can_network_connect',
+ 'state': 'on'
+ })
# vim: expandtab tabstop=4 shiftwidth=4
diff --git
a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/all-in-one/sshd.py
b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/all-in-one/sshd.py
index 5baa81b..fcb617e 100644
--- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/all-in-one/sshd.py
+++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/all-in-one/sshd.py
@@ -77,7 +77,6 @@
osetupcons.CoreEnv.DEVELOPER_MODE
]
self.command.detect('sshd')
- self.command.detect('restorecon')
@plugin.event(
stage=plugin.Stages.STAGE_CUSTOMIZATION,
@@ -148,15 +147,24 @@
after=(
osetupcons.Stages.SSH_KEY_AVAILABLE,
),
+ before=(
+ osetupcons.Stages.SETUP_SELINUX,
+ ),
)
def _misc(self):
authorized_keys_line = self.environment[
oenginecons.PKIEnv.ENGINE_SSH_PUBLIC_KEY
] + ' ovirt-engine'
- authorized_keys_file = os.path.join(
+ sshdir = os.path.join(
os.path.expanduser('~root'),
- '.ssh',
+ '.ssh'
+ )
+ self.environment[
+ osetupcons.SystemEnv.SELINUX_RESTORE_PATHS
+ ].append(sshdir)
+ authorized_keys_file = os.path.join(
+ sshdir,
'authorized_keys'
)
@@ -198,24 +206,6 @@
name='sshd',
state=True
)
-
- if self.command.get('restorecon', optional=True) is not None:
- rc, stdout, stderr = self.execute(
- (
- self.command.get('restorecon'),
- '-r',
- os.path.join(
- os.path.expanduser('~root'),
- '.ssh',
- ),
- ),
- raiseOnError=False,
- )
-
- if rc != 0:
- self.logger.warning(
- _('Cannot set SELinux properties on SSH directory')
- )
# vim: expandtab tabstop=4 shiftwidth=4
--
To view, visit https://gerrit.ovirt.org/39672
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I7e2c7e6871cab4bed04186b8441b86d0476910f9
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Yedidyah Bar David <d...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches
