set SELinux boolean httpd_can_connect_ldap when install infolap and authldap

Signed-off-by: John Dennis <jdennis@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>

diff --git a/ipsilon/info/infoldap.py b/ipsilon/info/infoldap.py
index 7170e95..3edd0dd 100644 (file)
--- a/ipsilon/info/infoldap.py
+++ b/ipsilon/info/infoldap.py
@@ -8,6 +8,7 @@ from ipsilon.util.plugin import PluginObject
 from ipsilon.util.policy import Policy
 from ipsilon.util import config as pconfig
 import ldap
+import subprocess
 
 
 # TODO: fetch mapping from configuration
@@ -196,3 +197,11 @@ class Installer(InfoProviderInstaller):
         # Update global config to add info plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass

diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py
index f383003..1f6c3dc 100644 (file)
--- a/ipsilon/login/authldap.py
+++ b/ipsilon/login/authldap.py
@@ -7,6 +7,7 @@ from ipsilon.util.log import Log
 from ipsilon.util import config as pconfig
 from ipsilon.info.infoldap import InfoProvider as LDAPInfo
 import ldap
+import subprocess
 
 
 class LDAP(LoginFormBase, Log):
@@ -201,3 +202,11 @@ class Installer(LoginManagerInstaller):
         # Update global config to add login plugin
         po.is_enabled = True
         po.save_enabled_state()
+
+        # For selinux enabled platforms permit httpd to connect to ldap,
+        # ignore if it fails
+        try:
+            subprocess.call(['/usr/sbin/setsebool', '-P',
+                             'httpd_can_connect_ldap=on'])
+        except Exception:  # pylint: disable=broad-except
+            pass