Add proper context to shared state directories so that httpd can write there.
Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.
Signed-off-by: Simo Sorce <simo@redhat.com>
-c "Ipsilon Server" ipsilon
exit 0
+%post
+semanage fcontext -a -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || :
+semanage fcontext -a -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || :
+restorecon -R %{_sharedstatedir}/ipsilon || :
+
+%postun
+semanage fcontext -d -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || :
+semanage fcontext -d -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || :
+
%files
%doc COPYING
%{python2_sitelib}/ipsilon-*.egg-info
import pwd
import shutil
import socket
+import subprocess
import sys
import time
# Fixup permissions so only the ipsilon user can read these files
files.fix_user_dirs(instance_conf, opts['system_user'], mode=0500)
files.fix_user_dirs(args['data_dir'], opts['system_user'])
+ try:
+ subprocess.call(['/usr/sbin/restorecon', '-R', args['data_dir']])
+ except Exception: # pylint: disable=broad-except
+ pass
def uninstall(plugins, args):
logger.info('Uninstallation initiated')
from ipsilon.util.plugin import PluginObject
import cherrypy
import pam
+import subprocess
class Pam(LoginPageBase):
globalconf['order'] = ','.join(order)
po.set_config(globalconf)
po.save_plugin_config(FACILITY)
+
+ # for selinux enabled platfroms, ignore if it fails just report
+ try:
+ subprocess.call(['/usr/sbin/setsebool', '-P',
+ 'httpd_mod_auth_pam=on',
+ 'httpd_tmp_t=on'])
+ except Exception: # pylint: disable=broad-except
+ pass