Add PKIDeployer.create_selinux_contexts()

The code that creates SELinux contexts in selinux_setup.py has been moved into PKIDeployer.create_selinux_contexts().
dogtagpki · Jul 17, 2023 · dbaa523 · dbaa523
1 parent f10a99e
commit dbaa523
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 53 deletions.
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
@@ -26,10 +26,12 @@
 import logging
 import os
 import re
+import selinux
 import shutil
 import socket
 import struct
 import subprocess
+import sys
 import tempfile
 import time
 from time import strftime as date
@@ -52,6 +54,16 @@
 from . import pkimanifest as manifest
 from . import pkimessages as log
 
+seobject = None
+if selinux.is_selinux_enabled():
+    try:
+        import seobject
+    except ImportError:
+        # TODO: Fedora 22 has an incomplete Python 3 package
+        # sepolgen is missing.
+        if sys.version_info.major == 2:
+            raise
+
 logger = logging.getLogger(__name__)
 
 
@@ -3666,3 +3678,48 @@ def store_manifest(self, instance):
         logger.info('Creating %s', manifest_archive)
 
         self.file.copy(manifest_file, manifest_archive)
+
+    def restore_selinux_contexts(self, instance):
+        selinux.restorecon(instance.base_dir, True)
+        selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
+        selinux.restorecon(instance.log_dir, True)
+        selinux.restorecon(instance.conf_dir, True)
+
+    def create_selinux_contexts(self, instance):
+
+        suffix = '(/.*)?'
+
+        trans = seobject.semanageRecords('targeted')
+        trans.start()
+
+        fcon = seobject.fcontextRecords(trans)
+
+        logger.info('Adding SELinux fcontext "%s"', instance.conf_dir + suffix)
+        fcon.add(
+            instance.conf_dir + suffix,
+            config.PKI_CFG_SELINUX_CONTEXT, '', 's0', '')
+
+        logger.info('Adding SELinux fcontext "%s"', instance.nssdb_dir + suffix)
+        fcon.add(
+            instance.nssdb_dir + suffix,
+            config.PKI_CERTDB_SELINUX_CONTEXT, '', 's0', '')
+
+        logger.info('Adding SELinux fcontext "%s"', instance.base_dir + suffix)
+        fcon.add(
+            instance.base_dir + suffix,
+            config.PKI_INSTANCE_SELINUX_CONTEXT, '', 's0', '')
+
+        logger.info('Adding SELinux fcontext "%s"', instance.log_dir + suffix)
+        fcon.add(
+            instance.log_dir + suffix,
+            config.PKI_LOG_SELINUX_CONTEXT, '', 's0', '')
+
+        port_records = seobject.portRecords(trans)
+
+        for port in config.pki_selinux_config_ports:
+            logger.info('Adding SELinux port %s', port)
+            port_records.add(
+                port, 'tcp', 's0',
+                config.PKI_PORT_SELINUX_CONTEXT)
+
+        trans.finish()
diff --git a/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py b/base/server/python/pki/server/deployment/scriptlets/selinux_setup.py
@@ -47,12 +47,6 @@ class PkiScriptlet(pkiscriptlet.AbstractBasePkiScriptlet):
 
     suffix = "(/.*)?"
 
-    def restore_context(self, mdict):
-        selinux.restorecon(mdict['pki_instance_path'], True)
-        selinux.restorecon(config.PKI_DEPLOYMENT_LOG_ROOT, True)
-        selinux.restorecon(self.instance.log_dir, True)
-        selinux.restorecon(mdict['pki_instance_configuration_path'], True)
-
     # Helper function to check if a given `context_value` exists in the given
     # set of `records`. This method can process both port contexts and file contexts
     def context_exists(self, records, context_value):
@@ -82,61 +76,18 @@ def spawn(self, deployer):
                 # check first if any transactions are required
                 if len(ports) == 0 and deployer.mdict['pki_instance_name'] == \
                         config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
-                    self.restore_context(deployer.mdict)
+                    deployer.restore_selinux_contexts(self.instance)
                     return
 
                 # add SELinux contexts when adding the first subsystem
                 if len(deployer.tomcat_instance_subsystems()) == 1:
-                    trans = seobject.semanageRecords("targeted")
-                    trans.start()
                     if deployer.mdict['pki_instance_name'] != \
                             config.PKI_DEPLOYMENT_DEFAULT_TOMCAT_INSTANCE_NAME:
+                        deployer.create_selinux_contexts(self.instance)
 
-                        fcon = seobject.fcontextRecords(trans)
-
-                        logger.info(
-                            "adding selinux fcontext \"%s\"",
-                            deployer.mdict['pki_instance_path'] + self.suffix)
-                        fcon.add(
-                            deployer.mdict['pki_instance_path'] + self.suffix,
-                            config.PKI_INSTANCE_SELINUX_CONTEXT, "", "s0", "")
-
-                        logger.info(
-                            "adding selinux fcontext \"%s\"",
-                            self.instance.log_dir +
-                            self.suffix)
-                        fcon.add(
-                            self.instance.log_dir +
-                            self.suffix,
-                            config.PKI_LOG_SELINUX_CONTEXT, "", "s0", "")
-
-                        logger.info(
-                            "adding selinux fcontext \"%s\"",
-                            deployer.mdict['pki_instance_configuration_path'] +
-                            self.suffix)
-                        fcon.add(
-                            deployer.mdict['pki_instance_configuration_path'] +
-                            self.suffix,
-                            config.PKI_CFG_SELINUX_CONTEXT, "", "s0", "")
-
-                        logger.info(
-                            "adding selinux fcontext \"%s\"",
-                            deployer.mdict['pki_server_database_path'] + self.suffix)
-                        fcon.add(
-                            deployer.mdict['pki_server_database_path'] + self.suffix,
-                            config.PKI_CERTDB_SELINUX_CONTEXT, "", "s0", "")
-
-                        port_records = seobject.portRecords(trans)
-                        for port in ports:
-                            logger.info("adding selinux port %s", port)
-                            port_records.add(
-                                port, "tcp", "s0",
-                                config.PKI_PORT_SELINUX_CONTEXT)
-
-                    trans.finish()
-
-                    self.restore_context(deployer.mdict)
+                    deployer.restore_selinux_contexts(self.instance)
                 break
+
             except ValueError as e:
                 error_message = str(e)
                 logger.error(error_message)