#2432 need to set httpd_manage_ipa SELinux boolean
Closed: Fixed None Opened 12 years ago by jdennis.

The SELinux policy fix for ipa_memcached is enabled via a selinux boolean, httpd_manage_ipa. We need to enable this boolean during a server install and upgrade.


% setsebool -P httpd_manage_ipa=1

On 02/23/2012 06:38 PM, Dmitri Pal wrote:

On 02/23/2012 02:18 PM, Daniel J Walsh wrote:

On 02/23/2012 01:59 PM, Simo Sorce wrote:

On Thu, 2012-02-23 at 13:29 -0500, Daniel J Walsh wrote:

Whatever sesetbool is doing (I don't think it's recompilation)
but sesetbool -P is not fast, when I did it by hand it took a
long while, 30 seconds maybe (I didn't time it). I don't know
what it's doing (relabeling?). Anyway, the point is it would
seem to slow down the install irrespective of what it's doing
internally.

Yes setsebool -P is going to compile the policy. But are you
already compiling policy? You can multiple transactions within a
single command, or you could just turn on the boolean when the
service starts and turn it off when it finishes.
Wouldn't this make the startup dog slow ?
Simo.
sesebool without the -P is instantaneous. It is only when you say you
want this permanently changed that it is a problem.

so we are going to add it to the command where we compile the policies?
Is that what I get. Is this right? Can we do it?

On 02/24/2012 02:46 AM, Alexander Bokovoy wrote:

On Thu, 23 Feb 2012, John Dennis wrote:

No, I believe what Dan is suggesting that our SystemV initscript for
ipa_memcached or our systemd service file set the boolean when the
service is started and unset it when the service is stopped, that
way we don't have to make it persistent with the -P option, which is
what takes time.

This should be doable in the SystemV initscript, I'm not sure
systemd allows for multiple commands or pre/post commands.
It is doable in systemd. ExecStartPre/ExecStopPost in service stanza
can be specified multiple times.

The change needs to be tested though if SELinux context in systemd
during service startup allows modifying SELinux state.

This is a duplicate of 2298

Metadata Update from @jdennis:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03

7 years ago

Login to comment on this ticket.

Metadata