New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PR - Ticket 49856 - dscreate should set the port selinux labels #3047
Comments
Comment from firstyear (@Firstyear) at 2018-10-24 01:20:39 What if slapd secure port is false here? |
Comment from firstyear (@Firstyear) at 2018-10-24 01:20:56 Besides my one comment, I think this looks reasonable. |
Comment from firstyear (@Firstyear) at 2018-10-24 01:27:39 Ahhh second comment: What happens if container mode == True? We need to not run selinux labeling when we are in container setup, or if we have selinux false. |
Comment from mhonek (@kenoh) at 2018-10-24 14:15:12 The commit message states incorrect Ticket number in its header, should be 49814 I guess. |
Comment from mreynolds (@mreynolds389) at 2018-10-24 14:18:34
Wouldn't this check work in a container:
But I do need to add a check for "selinux=false"
It would never be false here because this is under the "self-signed cert" section |
Comment from mhonek (@kenoh) at 2018-10-24 14:26:28 There is safer and more comprehensible interface (returns list of dicts) we could use. The following would (roughly) replace the code up to line 50: policies = [p for p in sepolicy.info(sepolicy.PORT)
if p['protocol'] == 'tcp'
if port in range(p['low'], p['high'] + 1)
if p['type'] not in ['unreserved_port_t', 'reserved_port_t', 'ephemeral_port_t']]
assert len(policies) <= 1 # there really should be only one at most (the selectors should work, but please double-check) |
Comment from mhonek (@kenoh) at 2018-10-24 14:28:11 Nothing can reach the state BAD. Covscan would complain. |
Comment from mhonek (@kenoh) at 2018-10-24 14:36:09 Both branches could be merged, having only one content (with the |
Comment from mhonek (@kenoh) at 2018-10-24 14:37:14 I'm a bit sad this is necessary. Why is it so? |
Comment from mreynolds (@mreynolds389) at 2018-10-24 15:25:10
I accidentally reused a old branch - I'll change the ticket number though |
Comment from mreynolds (@mreynolds389) at 2018-10-24 15:26:30
Of course it can be BAD - it someone already labelled the port. Am I missing something? |
Comment from mreynolds (@mreynolds389) at 2018-10-24 15:28:31
This was taken from @Firstyear 's original work in "ds_selinux_port_query". I assumed that the command could abort or timeout, and a retry would be needed. |
Comment from mreynolds (@mreynolds389) at 2018-10-24 15:32:58
Actually the logic is different in each branch so they should not be merged as you are suggesting |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:00:38 rebased onto 00260a1021ee0d99bc5f6b0fa08981e1cc284a71 |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:07:13
Seems to work, other changes applied as well, please review... |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:11:01 rebased onto 3e27a8003bfc0935eca21e52bcd521017a748fe9 |
Comment from mhonek (@kenoh) at 2018-10-24 16:12:07
The very next line raises an exception which means it really does not matter what the |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:17:10
You're right, I misunderstood your original point. And I had actually already changed this and rebased. :-p Working on trying to simplify the the remove_label/no remove label branches now... |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:23:48 rebased onto ce917af0e2f137fc5ccc92ad1756439b9755ced0 |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:24:14 @kenoh all changes applied please review one last time |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:27:10 Actually there is an issue I need to fix yet... |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:30:47 rebased onto da7355f989793498c414debb892d1a8b534fd051 |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:34:27 rebased onto d5319291182a89921216391e12245e2e5ebc8d86 |
Comment from mreynolds (@mreynolds389) at 2018-10-24 16:48:19 All changes applied, ready for review |
Comment from mhonek (@kenoh) at 2018-10-24 16:52:04 d531929 looks great, thanks Mark! You've my ACK. I've also checked and in container |
Comment from mreynolds (@mreynolds389) at 2018-10-24 18:51:33 rebased onto 3571bac |
Comment from mreynolds (@mreynolds389) at 2018-10-24 19:04:42 Pull-Request has been merged by mreynolds389 |
Patch |
Cloned from Pagure Pull-Request: https://pagure.io/389-ds-base/pull-request/49988
Description:
dscreate was not setting the selinux labels on the ports, so if you specified
a non-standard port the instance would not start. This fix sets/removes
selinux labels during instance creation and removal
Also moved ds_selinux_port_query & ds_selinux_enabled to the legacy tools
package as they are only used by setup-ds.pl
Resolves: #2873
Reviewed by: ?
The text was updated successfully, but these errors were encountered: