Make SELinux happy

Add proper context to shared state directories so that httpd can write there.

Relax SElinux boolans to allow use of pam modules
This allows running Ipsilon in fully enforcing mode when pam auth
using the python-pam modules is used.

Signed-off-by: Simo Sorce <simo@redhat.com>

diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec
index 08f2c70..f86e4de 100644 (file)
--- a/contrib/fedora/ipsilon.spec
+++ b/contrib/fedora/ipsilon.spec
@@ -62,6 +62,15 @@ getent passwd ipsilon >/dev/null || \
     -c "Ipsilon Server" ipsilon
 exit 0
 
     -c "Ipsilon Server" ipsilon
 exit 0
 

+%post
+semanage fcontext -a -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || :
+semanage fcontext -a -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || :
+restorecon -R %{_sharedstatedir}/ipsilon || :
+
+%postun
+semanage fcontext -d -t var_lib_t '%{_sharedstatedir}/ipsilon(/.*)/*.conf' 2>/dev/null || :
+semanage fcontext -d -t httpd_var_lib_t '%{_sharedstatedir}/ipsilon(/.*)?' 2>/dev/null || :
+

 %files
 %doc COPYING
 %{python2_sitelib}/ipsilon-*.egg-info
 %files
 %doc COPYING
 %{python2_sitelib}/ipsilon-*.egg-info

diff --git a/ipsilon/install/ipsilon-server-install b/ipsilon/install/ipsilon-server-install
index b5a6371..d9e4585 100755 (executable)
--- a/ipsilon/install/ipsilon-server-install
+++ b/ipsilon/install/ipsilon-server-install
@@ -28,6 +28,7 @@ import os
 import pwd
 import shutil
 import socket
 import pwd
 import shutil
 import socket

+import subprocess

 import sys
 import time
 
 import sys
 import time
 


@@ -137,6 +138,10 @@ def install(plugins, args):
     # Fixup permissions so only the ipsilon user can read these files
     files.fix_user_dirs(instance_conf, opts['system_user'], mode=0500)
     files.fix_user_dirs(args['data_dir'], opts['system_user'])
     # Fixup permissions so only the ipsilon user can read these files
     files.fix_user_dirs(instance_conf, opts['system_user'], mode=0500)
     files.fix_user_dirs(args['data_dir'], opts['system_user'])

+    try:
+        subprocess.call(['/usr/sbin/restorecon', '-R', args['data_dir']])
+    except Exception:  # pylint: disable=broad-except
+        pass

 
 def uninstall(plugins, args):
     logger.info('Uninstallation initiated')
 
 def uninstall(plugins, args):
     logger.info('Uninstallation initiated')

diff --git a/ipsilon/login/authpam.py b/ipsilon/login/authpam.py
index db409f7..14ebae4 100755 (executable)
--- a/ipsilon/login/authpam.py
+++ b/ipsilon/login/authpam.py
@@ -22,6 +22,7 @@ from ipsilon.login.common import FACILITY
 from ipsilon.util.plugin import PluginObject
 import cherrypy
 import pam
 from ipsilon.util.plugin import PluginObject
 import cherrypy
 import pam

+import subprocess

 
 
 class Pam(LoginPageBase):
 
 
 class Pam(LoginPageBase):


@@ -185,3 +186,11 @@ class Installer(object):
         globalconf['order'] = ','.join(order)
         po.set_config(globalconf)
         po.save_plugin_config(FACILITY)
         globalconf['order'] = ','.join(order)
         po.set_config(globalconf)
         po.save_plugin_config(FACILITY)

+
+        # for selinux enabled platfroms, ignore if it fails just report
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_mod_auth_pam=on',
+                             'httpd_tmp_t=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass