def Install(self, entries, states):
# start a transaction
sr = seobject.semanageRecords("")
if hasattr(sr, "start"):
self.logger.debug("Starting SELinux transaction")
sr.start()
else:
self.logger.debug("SELinux transactions not supported; this may " "slow things down considerably")
Bcfg2.Client.Tools.Tool.Install(self, entries, states)
if hasattr(sr, "finish"):
self.logger.debug("Committing SELinux transaction")
sr.finish()
def Install(self, entries, states):
# start a transaction
semanage = seobject.semanageRecords("")
if hasattr(semanage, "start"):
self.logger.debug("Starting SELinux transaction")
semanage.start()
self.txn = True
else:
self.logger.debug("SELinux transactions not supported; this may "
"slow things down considerably")
Bcfg2.Client.Tools.Tool.Install(self, entries, states)
if hasattr(semanage, "finish"):
self.logger.debug("Committing SELinux transaction")
semanage.finish()
self.txn = False
for func, arg, kwargs in self.post_txn_queue:
states[arg] = func(*arg, **kwargs)
def Install(self, entries, states):
# start a transaction
semanage = seobject.semanageRecords("")
if hasattr(semanage, "start"):
self.logger.debug("Starting SELinux transaction")
semanage.start()
self.txn = True
else:
self.logger.debug("SELinux transactions not supported; this may "
"slow things down considerably")
Bcfg2.Client.Tools.Tool.Install(self, entries, states)
if hasattr(semanage, "finish"):
self.logger.debug("Committing SELinux transaction")
semanage.finish()
self.txn = False
for func, arg, kwargs in self.post_txn_queue:
states[arg] = func(*arg, **kwargs)
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
logger.info('Skipping SELinux setup')
return
if not selinux.is_selinux_enabled() or seobject is None:
logger.info('SELinux disabled')
return
logger.info('Creating SELinux contexts')
# A maximum of 10 tries to create the SELinux contexts
counter = 0
max_tries = 10
while True:
try:
# check first if any transactions are required
if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
self.restore_context(deployer.mdict)
return
# add SELinux contexts when adding the first subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_path'] + self.suffix,
config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_log_path'] +
self.suffix,
config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
logger.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_server_database_path'] + self.suffix,
config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
port_records = seobject.portRecords(trans)
for port in ports:
logger.info(
"adding selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.add(
port, "tcp", "s0",
config.PKI_PORT_SELINUX_CONTEXT)
trans.finish()
self.restore_context(deployer.mdict)
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to setup the selinux context ...")
else:
raise
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
logger.info('SELinux disabled')
return
logger.info('Removing SELinux contexts')
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
# A maximum of 10 tries to delete the SELinux contexts
counter = 1
max_tries = 10
while True:
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
for port in ports:
logger.info(
"deleting selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to remove selinux context ...")
else:
raise
def spawn(self, deployer):
if config.str2bool(deployer.mdict['pki_skip_installation']):
config.pki_log.info(log.SKIP_SELINUX_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
if not selinux.is_selinux_enabled() or seobject is None:
config.pki_log.info(log.SELINUX_DISABLED_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
config.pki_log.info(log.SELINUX_SPAWN_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# A maximum of 10 tries to create the SELinux contexts
counter = 0
max_tries = 10
while True:
try:
# check first if any transactions are required
if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
self.restore_context(deployer.mdict)
return
# add SELinux contexts when adding the first subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 1:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_path'] + self.suffix,
config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_log_path'] +
self.suffix,
config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
config.pki_log.info(
"adding selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.add(
deployer.mdict['pki_server_database_path'] + self.suffix,
config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
port_records = seobject.portRecords(trans)
for port in ports:
config.pki_log.info(
"adding selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.add(
port, "tcp", "s0",
config.PKI_PORT_SELINUX_CONTEXT)
trans.finish()
self.restore_context(deployer.mdict)
break
except ValueError as e:
error_message = str(e)
config.pki_log.debug(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
config.pki_log.debug(
"Retrying to setup the selinux context ...")
else:
raise
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
config.pki_log.info(log.SELINUX_DISABLED_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
return
config.pki_log.info(log.SELINUX_DESTROY_1, __name__,
extra=config.PKI_INDENTATION_LEVEL_1)
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
# A maximum of 10 tries to delete the SELinux contexts
counter = 1
max_tries = 10
while True:
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
config.pki_log.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix,
extra=config.PKI_INDENTATION_LEVEL_2)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
for port in ports:
config.pki_log.info(
"deleting selinux port %s", port,
extra=config.PKI_INDENTATION_LEVEL_2)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
config.pki_log.debug(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
counter += 1
if counter >= max_tries:
raise
time.sleep(5)
config.pki_log.debug(
"Retrying to remove selinux context ...")
else:
raise
def destroy(self, deployer):
if not bool(selinux.is_selinux_enabled()):
logger.info('SELinux disabled')
return
# check first if any transactions are required
if (len(ports) == 0 and deployer.mdict['pki_instance_name'] ==
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME):
return
logger.info('Removing SELinux contexts')
# A maximum of 10 tries to delete the SELinux contexts
max_tries = 10
for counter in range(1, max_tries):
try:
# remove SELinux contexts when removing the last subsystem
if len(deployer.instance.tomcat_instance_subsystems()) == 0:
trans = seobject.semanageRecords("targeted")
trans.start()
if deployer.mdict['pki_instance_name'] != \
config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
fcon = seobject.fcontextRecords(trans)
file_records = fcon.get_all()
if self.context_exists(file_records,
deployer.mdict['pki_instance_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_path'] + self.suffix)
fcon.delete(
deployer.mdict['pki_instance_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_instance_log_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_log_path'] +
self.suffix)
fcon.delete(
deployer.mdict['pki_instance_log_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_instance_configuration_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_instance_configuration_path'] +
self.suffix)
fcon.delete(
deployer.mdict['pki_instance_configuration_path'] +
self.suffix, "")
if self.context_exists(file_records,
deployer.mdict['pki_server_database_path'] +
self.suffix):
logger.info(
"deleting selinux fcontext \"%s\"",
deployer.mdict['pki_server_database_path'] + self.suffix)
fcon.delete(
deployer.mdict['pki_server_database_path'] +
self.suffix, "")
port_records = seobject.portRecords(trans)
port_record_values = port_records.get_all()
for port in ports:
if self.context_exists(port_record_values, port):
logger.info("deleting selinux port %s", port)
port_records.delete(port, "tcp")
trans.finish()
break
except ValueError as e:
error_message = str(e)
logger.error(error_message)
if error_message.strip() == \
"Could not start semanage transaction":
if counter >= max_tries:
raise
time.sleep(5)
logger.debug("Retrying to remove selinux context ...")
else:
raise
