admserv/newinst/src/AdminServer.pm.in | 48 ++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
New commits:
commit 3302242bde80530a4f32069ab786249f4a9a1414
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Thu Dec 15 11:59:30 2011 -0700
Bug 767823 - selinux: need to allow admin server to connect to ldap port
https://bugzilla.redhat.com/show_bug.cgi?id=767823
Resolves: bug 767823
Bug Description: selinux: need to allow admin server to connect to ldap port
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Turn on the selinux boolean httpd_can_connect_ldap during
setup. Turn it off during removal.
Platforms tested: Fedora 16
Flag Day: no
Doc impact: no
diff --git a/admserv/newinst/src/AdminServer.pm.in
b/admserv/newinst/src/AdminServer.pm.in
index d9d7427..f2de530 100644
--- a/admserv/newinst/src/AdminServer.pm.in
+++ b/admserv/newinst/src/AdminServer.pm.in
@@ -678,6 +678,30 @@ sub removeAdminServer {
}
}
}
+
+ # turn off the switch to allow admin server to connect to the ldap port
+ $? = 0; # clear error
+ my $cmd = "getsebool httpd_can_connect_ldap";
+ my $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
+ # this version of selinux does not support the boolean value
+ debug(1, "This version of selinux does not support
httpd_can_connect_ldap\n");
+ } elsif ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd,
$output, $!);
+ } elsif ($output =~ /on$/) {
+ $cmd = "setsebool -P httpd_can_connect_ldap off";
+ $? = 0; # clear error
+ $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd,
$output, $!);
+ } else {
+ debug(1, "$cmd was successful\n");
+ }
+ } else {
+ debug(1, "selinux boolean httpd_can_connect_ldap is already off -
$output\n");
+ }
}
# remove admin server files in $rundir
@@ -755,6 +779,30 @@ sub updateSelinuxPolicy {
system("semanage port -a -t http_port_t -p tcp
$setup->{inf}->{admin}->{Port}");
}
}
+
+ # turn on the switch to allow admin server to connect to the ldap port
+ $? = 0; # clear error
+ my $cmd = "getsebool httpd_can_connect_ldap";
+ my $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($output =~ /Error getting active value for httpd_can_connect_ldap/) {
+ # this version of selinux does not support the boolean value
+ debug(1, "This version of selinux does not support
httpd_can_connect_ldap\n");
+ } elsif ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd,
$output, $!);
+ } elsif ($output =~ /off$/) {
+ $cmd = "setsebool -P httpd_can_connect_ldap on";
+ $? = 0; # clear error
+ $output = `$cmd 2>&1`;
+ chomp($output);
+ if ($?) {
+ $setup->msg($SetupLog::WARN, 'error_running_command', $cmd,
$output, $!);
+ } else {
+ debug(1, "$cmd was successful\n");
+ }
+ } else {
+ debug(1, "selinux boolean httpd_can_connect_ldap is already on -
$output\n");
+ }
}
}