The SELinux policy fix for ipa_memcached is enabled via a selinux boolean, httpd_manage_ipa. We need to enable this boolean during a server install and upgrade.
% setsebool -P httpd_manage_ipa=1
On 02/23/2012 06:38 PM, Dmitri Pal wrote:
On 02/23/2012 02:18 PM, Daniel J Walsh wrote: On 02/23/2012 01:59 PM, Simo Sorce wrote: On Thu, 2012-02-23 at 13:29 -0500, Daniel J Walsh wrote: Whatever sesetbool is doing (I don't think it's recompilation) but sesetbool -P is not fast, when I did it by hand it took a long while, 30 seconds maybe (I didn't time it). I don't know what it's doing (relabeling?). Anyway, the point is it would seem to slow down the install irrespective of what it's doing internally. Yes setsebool -P is going to compile the policy. But are you already compiling policy? You can multiple transactions within a single command, or you could just turn on the boolean when the service starts and turn it off when it finishes. Wouldn't this make the startup dog slow ? Simo. sesebool without the -P is instantaneous. It is only when you say you want this permanently changed that it is a problem. so we are going to add it to the command where we compile the policies? Is that what I get. Is this right? Can we do it?
On 02/23/2012 02:18 PM, Daniel J Walsh wrote:
On 02/23/2012 01:59 PM, Simo Sorce wrote: On Thu, 2012-02-23 at 13:29 -0500, Daniel J Walsh wrote: Whatever sesetbool is doing (I don't think it's recompilation) but sesetbool -P is not fast, when I did it by hand it took a long while, 30 seconds maybe (I didn't time it). I don't know what it's doing (relabeling?). Anyway, the point is it would seem to slow down the install irrespective of what it's doing internally. Yes setsebool -P is going to compile the policy. But are you already compiling policy? You can multiple transactions within a single command, or you could just turn on the boolean when the service starts and turn it off when it finishes. Wouldn't this make the startup dog slow ? Simo. sesebool without the -P is instantaneous. It is only when you say you want this permanently changed that it is a problem.
On 02/23/2012 01:59 PM, Simo Sorce wrote:
On Thu, 2012-02-23 at 13:29 -0500, Daniel J Walsh wrote: Whatever sesetbool is doing (I don't think it's recompilation) but sesetbool -P is not fast, when I did it by hand it took a long while, 30 seconds maybe (I didn't time it). I don't know what it's doing (relabeling?). Anyway, the point is it would seem to slow down the install irrespective of what it's doing internally. Yes setsebool -P is going to compile the policy. But are you already compiling policy? You can multiple transactions within a single command, or you could just turn on the boolean when the service starts and turn it off when it finishes. Wouldn't this make the startup dog slow ? Simo. sesebool without the -P is instantaneous. It is only when you say you want this permanently changed that it is a problem.
On Thu, 2012-02-23 at 13:29 -0500, Daniel J Walsh wrote:
Whatever sesetbool is doing (I don't think it's recompilation) but sesetbool -P is not fast, when I did it by hand it took a long while, 30 seconds maybe (I didn't time it). I don't know what it's doing (relabeling?). Anyway, the point is it would seem to slow down the install irrespective of what it's doing internally. Yes setsebool -P is going to compile the policy. But are you already compiling policy? You can multiple transactions within a single command, or you could just turn on the boolean when the service starts and turn it off when it finishes. Wouldn't this make the startup dog slow ? Simo. sesebool without the -P is instantaneous. It is only when you say you want this permanently changed that it is a problem.
Whatever sesetbool is doing (I don't think it's recompilation) but sesetbool -P is not fast, when I did it by hand it took a long while, 30 seconds maybe (I didn't time it). I don't know what it's doing (relabeling?). Anyway, the point is it would seem to slow down the install irrespective of what it's doing internally.
Yes setsebool -P is going to compile the policy. But are you already compiling policy? You can multiple transactions within a single command, or you could just turn on the boolean when the service starts and turn it off when it finishes. Wouldn't this make the startup dog slow ? Simo. sesebool without the -P is instantaneous. It is only when you say you want this permanently changed that it is a problem.
so we are going to add it to the command where we compile the policies? Is that what I get. Is this right? Can we do it?
On 02/24/2012 02:46 AM, Alexander Bokovoy wrote:
On Thu, 23 Feb 2012, John Dennis wrote: No, I believe what Dan is suggesting that our SystemV initscript for ipa_memcached or our systemd service file set the boolean when the service is started and unset it when the service is stopped, that way we don't have to make it persistent with the -P option, which is what takes time. This should be doable in the SystemV initscript, I'm not sure systemd allows for multiple commands or pre/post commands. It is doable in systemd. ExecStartPre/ExecStopPost in service stanza can be specified multiple times. The change needs to be tested though if SELinux context in systemd during service startup allows modifying SELinux state.
On Thu, 23 Feb 2012, John Dennis wrote:
No, I believe what Dan is suggesting that our SystemV initscript for ipa_memcached or our systemd service file set the boolean when the service is started and unset it when the service is stopped, that way we don't have to make it persistent with the -P option, which is what takes time. This should be doable in the SystemV initscript, I'm not sure systemd allows for multiple commands or pre/post commands. It is doable in systemd. ExecStartPre/ExecStopPost in service stanza can be specified multiple times.
No, I believe what Dan is suggesting that our SystemV initscript for ipa_memcached or our systemd service file set the boolean when the service is started and unset it when the service is stopped, that way we don't have to make it persistent with the -P option, which is what takes time.
This should be doable in the SystemV initscript, I'm not sure systemd allows for multiple commands or pre/post commands. It is doable in systemd. ExecStartPre/ExecStopPost in service stanza can be specified multiple times.
The change needs to be tested though if SELinux context in systemd during service startup allows modifying SELinux state.
This is a duplicate of 2298
attachment freeipa-rcrit-981-selinux.patch
master: 0425d09
ipa-2-2: faa9b47
Metadata Update from @jdennis: - Issue assigned to rcritten - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.