Project

Profile

Help

Story #1166

As a user, I can install a crane-selinux rpm

Added by cduryee over 6 years ago. Updated almost 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

100%

Estimated time:
(Total: 0:00 h)
Platform Release:
Target Release - Crane:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

python-crane has semanage statements in %post. These should be moved to a simple policy. The python-crane spec contains the following:


%post
semanage fcontext -a -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane

%postun
if [ $1 -eq 0 ] ; then  # final removal
semanage fcontext -d -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane
fi

I do not think semanage is appropriate in the %post and %postun since it can cause confusion when some selinux-related items work but not others. IMO the statements should be removed in favor of either selinux setup documentation, or a policy file.

QE note: this bug is for a refactor and likely will not have anything to validate aside from regression testing.


Subtasks

Issue #2719: Need to choose a port, and ship SELinux policy for network connectionsCLOSED - WONTFIXActions

Related issues

Related to Crane - Issue #1572: Yum install python crane raising SE Linux errorsCLOSED - CURRENTRELEASE<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by cduryee over 6 years ago

  • Description updated (diff)

#3 Updated by bmbouter over 6 years ago

  • Triaged changed from No to Yes

On a mailing list it was suggested to make a simple selinux policy for crane and have the directory labels done in the fc file and the require of httpd_sys_content_t in the te file. Here's the e-mail explaining why:

Steve wrote:

The problem with doing that is that you encode special knowledge of the policy
in a script. There's no guarantee that httpd_sys_content_t will exist in any
future Fedora release or event between distributions.

Maybe work with the selinux policy writer(s) to get that into policy so that
selinux knows how to label that directory correctly from the beginning. I want
to think that when you use semanage, its to fix something you've done locally
and unique to your system.

#4 Updated by bmbouter over 6 years ago

  • Tracker changed from Issue to Story
  • Subject changed from python-crane has semanage statements in %post to As a user, I can install a crane-selinux rpm
  • Description updated (diff)
  • Groomed set to No
  • Sprint Candidate set to No

#5 Updated by bmbouter almost 6 years ago

  • Related to Issue #1572: Yum install python crane raising SE Linux errors added

#6 Updated by bmbouter almost 6 years ago

  • Parent task set to #1826

#7 Updated by bmbouter almost 6 years ago

  • Tags SELinux added

#8 Updated by bmbouter almost 6 years ago

  • Parent task deleted (#1826)

#9 Updated by bmbouter almost 3 years ago

  • Status changed from NEW to CLOSED - WONTFIX

#10 Updated by bmbouter almost 3 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

#11 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF