Ticket 50195 - improve selinux error messages in interactive

Bug Description: During an interactive install, the selinux module if not found would produce many error messages that were not necessary. Fix Description: Warn the user at the start of the install that selinux isn't found, and allow them to continue https://pagure.io/389-ds-base/issue/50195 Author: William Brown <william@blackhats.net.au> Review by: spichugi (Thanks!)
389ds · Feb 6, 2019 · d8a94c2 · d8a94c2
1 parent e09725e
commit d8a94c2
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 7 deletions.
diff --git a/src/lib389/lib389/__init__.py b/src/lib389/lib389/__init__.py
@@ -1230,7 +1230,8 @@ def start(self, timeout=120, post_open=True):
                 self.log.debug("DEBUG: starting with %s" % cmd)
                 output = subprocess.check_output(*cmd, env=env, stderr=subprocess.STDOUT)
             except subprocess.CalledProcessError:
-                self.log.error(output)
+                self.log.error('Failed to start ns-slapd: "%s"' % output)
+                raise ValueError('Failed to start DS')
             count = timeout
             pid = pid_from_file(self.ds_paths.pid_file)
             while (pid is None) and count > 0:

diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
@@ -35,7 +35,8 @@
     normalizeDN,
     socket_check_open,
     selinux_label_port,
-    selinux_restorecon)
+    selinux_restorecon,
+    selinux_present)
 
 ds_paths = Paths()
 
@@ -271,6 +272,12 @@ def create_from_cli(self):
                  'log_dir': ds_paths.log_dir,
                  'schema_dir': ds_paths.schema_dir}
 
+        # Let them know about the selinux status
+        if not selinux_present():
+            val = input('\nSelinux support will be disabled, continue? [yes]: ')
+            if val.strip().lower().startswith('n'):
+                return
+
         # Start asking questions, beginning with the hostname...
         val = input('\nEnter system\'s hostname [{}]: '.format(general['full_machine_name'])).rstrip()
         if val != "":

diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
@@ -172,6 +172,36 @@ def wait(self):
 # Utilities
 #
 
+def selinux_present():
+    """
+    Determine if selinux libraries are on a system, and if so, if we are in
+    a state to consume them (enabled, disabled).
+
+    :returns: bool
+    """
+    status = False
+
+    try:
+        import selinux
+        if selinux.is_selinux_enabled():
+            # We have selinux, continue.
+            status = True
+        else:
+            # We have the module, but it's disabled.
+            log.error('selinux is disabled, will not relabel ports or files.' )
+    except ImportError:
+        # No python module, so who knows what state we are in.
+        log.error('selinux python module not found, will not relabel files.' )
+
+    try:
+        if status:
+            # Only if we know it's enabled, check if we can manage ports too.
+            import sepolicy
+    except ImportError:
+        log.error('sepolicy python module not found, will not relabel ports.' )
+
+    return status
+
 
 def selinux_restorecon(path):
     """
@@ -184,11 +214,11 @@ def selinux_restorecon(path):
     try:
         import selinux
     except ImportError:
-        log.error('selinux python module not found, skipping relabel path %s' % path)
+        log.debug('selinux python module not found, skipping relabel path %s' % path)
         return
 
     if not selinux.is_selinux_enabled():
-        log.error('selinux is disabled, skipping relabel path %s' % path)
+        log.debug('selinux is disabled, skipping relabel path %s' % path)
         return
 
     try:
@@ -210,17 +240,17 @@ def selinux_label_port(port, remove_label=False):
     try:
         import selinux
     except ImportError:
-        log.error('selinux python module not found, skipping port labeling.')
+        log.debug('selinux python module not found, skipping port labeling.')
         return
 
     try:
         import sepolicy
     except ImportError:
-        log.error('sepolicy python module not found, skipping port labeling.')
+        log.debug('sepolicy python module not found, skipping port labeling.')
         return
 
     if not selinux.is_selinux_enabled():
-        log.error('selinux is disabled, skipping port relabel')
+        log.debug('selinux is disabled, skipping port relabel')
         return
 
     # We only label ports that ARE NOT in the default policy that comes with