admserv/newinst/src/AdminServer.pm.in | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+)

New commits: commit 3302242bde80530a4f32069ab786249f4a9a1414 Author: Rich Megginson rmeggins@redhat.com Date: Thu Dec 15 11:59:30 2011 -0700

Bug 767823 - selinux: need to allow admin server to connect to ldap port

https://bugzilla.redhat.com/show_bug.cgi?id=767823 Resolves: bug 767823 Bug Description: selinux: need to allow admin server to connect to ldap port Reviewed by: nhosoi (Thanks!) Branch: master Fix Description: Turn on the selinux boolean httpd_can_connect_ldap during setup. Turn it off during removal. Platforms tested: Fedora 16 Flag Day: no Doc impact: no

diff --git a/admserv/newinst/src/AdminServer.pm.in b/admserv/newinst/src/AdminServer.pm.in index d9d7427..f2de530 100644 --- a/admserv/newinst/src/AdminServer.pm.in +++ b/admserv/newinst/src/AdminServer.pm.in @@ -678,6 +678,30 @@ sub removeAdminServer { } } } + + # turn off the switch to allow admin server to connect to the ldap port + $? = 0; # clear error + my $cmd = "getsebool httpd_can_connect_ldap"; + my $output = `$cmd 2>&1`; + chomp($output); + if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { + # this version of selinux does not support the boolean value + debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); + } elsif ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } elsif ($output =~ /on$/) { + $cmd = "setsebool -P httpd_can_connect_ldap off"; + $? = 0; # clear error + $output = `$cmd 2>&1`; + chomp($output); + if ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } else { + debug(1, "$cmd was successful\n"); + } + } else { + debug(1, "selinux boolean httpd_can_connect_ldap is already off - $output\n"); + } }

# remove admin server files in $rundir @@ -755,6 +779,30 @@ sub updateSelinuxPolicy { system("semanage port -a -t http_port_t -p tcp $setup->{inf}->{admin}->{Port}"); } } + + # turn on the switch to allow admin server to connect to the ldap port + $? = 0; # clear error + my $cmd = "getsebool httpd_can_connect_ldap"; + my $output = `$cmd 2>&1`; + chomp($output); + if ($output =~ /Error getting active value for httpd_can_connect_ldap/) { + # this version of selinux does not support the boolean value + debug(1, "This version of selinux does not support httpd_can_connect_ldap\n"); + } elsif ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } elsif ($output =~ /off$/) { + $cmd = "setsebool -P httpd_can_connect_ldap on"; + $? = 0; # clear error + $output = `$cmd 2>&1`; + chomp($output); + if ($?) { + $setup->msg($SetupLog::WARN, 'error_running_command', $cmd, $output, $!); + } else { + debug(1, "$cmd was successful\n"); + } + } else { + debug(1, "selinux boolean httpd_can_connect_ldap is already on - $output\n"); + } } }