Project

Profile

Help

Story #1166

closed

As a user, I can install a crane-selinux rpm

Added by cduryee almost 9 years ago. Updated about 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Start date:
Due date:
% Done:

100%

Estimated time:
(Total: 0:00 h)
Platform Release:
Target Release - Crane:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:

Description

python-crane has semanage statements in %post. These should be moved to a simple policy. The python-crane spec contains the following:


%post
semanage fcontext -a -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane

%postun
if [ $1 -eq 0 ] ; then  # final removal
semanage fcontext -d -t httpd_sys_content_t '%{_var}/lib/crane(/.*)?'
restorecon -R -v %{_var}/lib/crane
fi

I do not think semanage is appropriate in the %post and %postun since it can cause confusion when some selinux-related items work but not others. IMO the statements should be removed in favor of either selinux setup documentation, or a policy file.

QE note: this bug is for a refactor and likely will not have anything to validate aside from regression testing.


Sub-issues 1 (0 open1 closed)

Issue #2719: Need to choose a port, and ship SELinux policy for network connectionsCLOSED - WONTFIXActions

Related issues

Related to Crane - Issue #1572: Yum install python crane raising SE Linux errorsCLOSED - CURRENTRELEASEpcreechActions
Actions #1

Updated by cduryee almost 9 years ago

  • Description updated (diff)
Actions #3

Updated by bmbouter over 8 years ago

  • Triaged changed from No to Yes

On a mailing list it was suggested to make a simple selinux policy for crane and have the directory labels done in the fc file and the require of httpd_sys_content_t in the te file. Here's the e-mail explaining why:

Steve wrote:

The problem with doing that is that you encode special knowledge of the policy
in a script. There's no guarantee that httpd_sys_content_t will exist in any
future Fedora release or event between distributions.

Maybe work with the selinux policy writer(s) to get that into policy so that
selinux knows how to label that directory correctly from the beginning. I want
to think that when you use semanage, its to fix something you've done locally
and unique to your system.

Actions #4

Updated by bmbouter over 8 years ago

  • Tracker changed from Issue to Story
  • Subject changed from python-crane has semanage statements in %post to As a user, I can install a crane-selinux rpm
  • Description updated (diff)
  • Groomed set to No
  • Sprint Candidate set to No
Actions #5

Updated by bmbouter over 8 years ago

  • Related to Issue #1572: Yum install python crane raising SE Linux errors added
Actions #6

Updated by bmbouter about 8 years ago

  • Parent issue set to #1826
Actions #7

Updated by bmbouter about 8 years ago

  • Tags SELinux added
Actions #8

Updated by bmbouter about 8 years ago

  • Parent issue deleted (#1826)
Actions #9

Updated by bmbouter about 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions #10

Updated by bmbouter about 5 years ago

Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.

Actions #11

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF