Add PKIDeployer.remove_selinux_contexts()

The code that removes SELinux contexts in selinux_setup.py has been moved into PKIDeployer.remove_selinux_contexts().
dogtagpki · Jul 17, 2023 · 000fc75 · 000fc75
1 parent dbaa523
commit 000fc75
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 68 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -3685,6 +3685,17 @@ def restore_selinux_contexts(self, instance):
         selinux.restorecon(instance.log_dir, True)
         selinux.restorecon(instance.conf_dir, True)
 
+    def selinux_context_exists(self, records, context_value):
+        '''
+        Check if a given `context_value` exists in the given set of `records`.
+        This method can process both port contexts and file contexts.
+        '''
+        for keys in records.keys():
+            for key in keys:
+                if str(key) == context_value:
+                    return True
+        return False
+
     def create_selinux_contexts(self, instance):
 
         suffix = '(/.*)?'
@@ -3723,3 +3734,39 @@ def create_selinux_contexts(self, instance):
                 config.PKI_PORT_SELINUX_CONTEXT)
 
         trans.finish()
+
+    def remove_selinux_contexts(self, instance):
+
+        suffix = '(/.*)?'
+
+        trans = seobject.semanageRecords('targeted')
+        trans.start()
+
+        port_records = seobject.portRecords(trans)
+        port_record_values = port_records.get_all()
+
+        for port in config.pki_selinux_config_ports:
+            if self.selinux_context_exists(port_record_values, port):
+                logger.info('Removing SELinux port %s', port)
+                port_records.delete(port, 'tcp')
+
+        fcon = seobject.fcontextRecords(trans)
+        file_records = fcon.get_all()
+
+        if self.selinux_context_exists(file_records, instance.log_dir + suffix):
+            logger.info('Removing SELinux fcontext "%s"', instance.log_dir + suffix)
+            fcon.delete(instance.log_dir + suffix, '')
+
+        if self.selinux_context_exists(file_records, instance.base_dir + suffix):
+            logger.info('Removing SELinux fcontext "%s"', instance.base_dir + suffix)
+            fcon.delete(instance.base_dir + suffix, '')
+
+        if self.selinux_context_exists(file_records, instance.nssdb_dir + suffix):
+            logger.info('Removing SELinux fcontext "%s"', instance.nssdb_dir + suffix)
+            fcon.delete(instance.nssdb_dir + suffix, '')
+
+        if self.selinux_context_exists(file_records, instance.conf_dir + suffix):
+            logger.info('Removing SELinux fcontext "%s"', instance.conf_dir + suffix)
+            fcon.delete(instance.conf_dir + suffix, '')
+
+        trans.finish()
diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py
@@ -45,17 +45,6 @@
 # PKI Deployment Selinux Setup Scriptlet
 class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
-    suffix = "(/.*)?"
-
-    # Helper function to check if a given `context_value` exists in the given
-    # set of `records`. This method can process both port contexts and file contexts
-    def context_exists(self, records, context_value):
-        for keys in records.keys():
-            for key in keys:
-                if str(key) == context_value:
-                    return True
-        return False
-
     def spawn(self, deployer):
 
         if config.str2bool(deployer.mdict['pki_skip_installation']):
@@ -120,66 +109,11 @@ def destroy(self, deployer):
             try:
                 # remove SELinux contexts when removing the last subsystem
                 if len(deployer.tomcat_instance_subsystems()) == 0:
-                    trans = seobject.semanageRecords("targeted")
-                    trans.start()
-
                     if deployer.mdict['pki_instance_name'] != \
                             config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
-
-                        fcon = seobject.fcontextRecords(trans)
-                        file_records = fcon.get_all()
-
-                        if self.context_exists(file_records,
-                                               deployer.mdict['pki_instance_path'] +
-                                               self.suffix):
-                            logger.info(
-                                "deleting selinux fcontext \"%s\"",
-                                deployer.mdict['pki_instance_path'] + self.suffix)
-                            fcon.delete(
-                                deployer.mdict['pki_instance_path'] +
-                                self.suffix, "")
-
-                        if self.context_exists(file_records,
-                                               self.instance.log_dir +
-                                               self.suffix):
-                            logger.info(
-                                "deleting selinux fcontext \"%s\"",
-                                self.instance.log_dir +
-                                self.suffix)
-                            fcon.delete(
-                                self.instance.log_dir +
-                                self.suffix, "")
-
-                        if self.context_exists(file_records,
-                                               deployer.mdict['pki_instance_configuration_path'] +
-                                               self.suffix):
-                            logger.info(
-                                "deleting selinux fcontext \"%s\"",
-                                deployer.mdict['pki_instance_configuration_path'] +
-                                self.suffix)
-                            fcon.delete(
-                                deployer.mdict['pki_instance_configuration_path'] +
-                                self.suffix, "")
-
-                        if self.context_exists(file_records,
-                                               deployer.mdict['pki_server_database_path'] +
-                                               self.suffix):
-                            logger.info(
-                                "deleting selinux fcontext \"%s\"",
-                                deployer.mdict['pki_server_database_path'] + self.suffix)
-                            fcon.delete(
-                                deployer.mdict['pki_server_database_path'] +
-                                self.suffix, "")
-
-                        port_records = seobject.portRecords(trans)
-                        port_record_values = port_records.get_all()
-                        for port in ports:
-                            if self.context_exists(port_record_values, port):
-                                logger.info("deleting selinux port %s", port)
-                                port_records.delete(port, "tcp")
-
-                    trans.finish()
+                        deployer.remove_selinux_contexts(self.instance)
                 break
+
             except ValueError as e:
                 error_message = str(e)
                 logger.error(error_message)