Revision 1cc18be4
Added by Lukas Zapletal almost 6 years ago
foreman-selinux-disable | ||
---|---|---|
set +e
|
||
|
||
LIBEXEC_DIR=/usr/libexec/foreman-selinux
|
||
LOG=/var/log/foreman-selinux-install.log
|
||
|
||
# Run hooks
|
||
find ${LIBEXEC_DIR} -name \*-before-disable.sh -type f -executable -exec /usr/bin/bash '{}' \;
|
||
... | ... | |
for selinuxvariant in targeted
|
||
do
|
||
if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
|
||
# Create log entry
|
||
echo "$(date) $0" >> $LOG
|
||
|
||
# Remove all user defined ports (including the default one)
|
||
# (docker and elastic can be removed in future release)
|
||
/usr/sbin/semanage port -E | \
|
||
grep -E '(elasticsearch|docker|foreman_.*)_port_t' | \
|
||
sed s/-a/-d/g | \
|
||
tee -a $LOG | \
|
||
/usr/sbin/semanage -S $selinuxvariant -i -
|
||
# Unload policy
|
||
/usr/sbin/semodule -s $selinuxvariant -r foreman
|
foreman-selinux-enable | ||
---|---|---|
TMP_EXEC_BEFORE=$(mktemp -t foreman-selinux-enable.XXXXX)
|
||
TMP_EXEC_AFTER=$(mktemp -t foreman-selinux-enable.XXXXX)
|
||
TMP_PORTS=$(mktemp -t foreman-selinux-enable.XXXXX)
|
||
LOG=/var/log/foreman-selinux-install.log
|
||
trap "rm -rf '$TMP_EXEC_BEFORE' '$TMP_EXEC_AFTER' '$TMP_PORTS'" EXIT INT TERM
|
||
LIBEXEC_DIR=/usr/libexec/foreman-selinux
|
||
|
||
... | ... | |
for selinuxvariant in targeted
|
||
do
|
||
if /usr/sbin/semodule -s $selinuxvariant -l >/dev/null; then
|
||
# Create port list cache
|
||
/usr/sbin/semanage port -E > $TMP_PORTS
|
||
|
||
# Remove previously defined conflicting docker_port_t (this can be removed in future release)
|
||
grep docker_port_t $TMP_PORTS | sed s/-a/-d/g >> $TMP_EXEC_BEFORE
|
||
grep -E '(container|docker)_port_t' $TMP_PORTS | sed s/-a/-d/g >> $TMP_EXEC_BEFORE
|
||
|
||
# Commit changes
|
||
test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE
|
||
|
||
# Load new policy
|
||
/usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
|
||
|
||
# Create port list cache
|
||
/usr/sbin/semanage port -E > $TMP_PORTS
|
||
|
||
# Assign docker/container port only and only if it's undefined
|
||
grep -qE 'tcp 2375' $TMP_PORTS || \
|
||
... | ... | |
grep -qE 'tcp 2376' $TMP_PORTS || \
|
||
echo "port -a -t foreman_container_port_t -p tcp 2376" >> $TMP_EXEC_AFTER
|
||
|
||
# Set flags for passenger
|
||
echo "boolean -m --on httpd_setrlimit" >> $TMP_EXEC_AFTER
|
||
|
||
# Execute port management commands and load policy
|
||
test -s $TMP_EXEC_BEFORE && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_BEFORE
|
||
/usr/sbin/semanage module -S $selinuxvariant -a /usr/share/selinux/${selinuxvariant}/foreman.pp.bz2
|
||
# Commit changes
|
||
test -s $TMP_EXEC_AFTER && /usr/sbin/semanage -S $selinuxvariant -i $TMP_EXEC_AFTER
|
||
|
||
# Append to log file
|
||
echo "$(date) $0" >> $LOG
|
||
cat $TMP_EXEC_BEFORE >> $LOG
|
||
cat $TMP_EXEC_AFTER >> $LOG
|
||
fi
|
||
done
|
||
|
Also available in: Unified diff
Fixes #23127 - docker upgrade path is correct