Project

Profile

Help

Task #1459

closed

Story #1150: As a user, I can lazily fetch repositories

Update SELinux rules for lazy sync

Added by jcline@redhat.com almost 9 years ago. Updated over 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
2.8.0
Groomed:
No
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
Quarter:

Description

Lazy sync introduces several new WSGI applications, processes, files, etc. SELinux rules need to be written to support lazy.

The following processes are new:

  • squid
    - I expect this to already have an SELinux policy somewhere and we probably don't need to do anything.
  • pulp_streamer
    - Currently set to run as the 'apache' user.
    - Launches a twistd application in /srv/pulp/streamer.tac
    - Its systemd unit and init script can be found in the streamer package in pulp for more information
    - Currently runs in the 'system_u:system_r:unconfined_service_t:s0' context
    - Reads a configuration file at '/etc/pulp/streamer.conf'
    - Communicates with MongoDB

In addition to those processes, there are two new WSGI applications:

  • streamer_auth.wsgi
    - Reads '/etc/pulp/server.conf'
    - Loads the RSA public key specified in the 'authentication' section, 'rsa_pub' value in above config
  • content.wsgi
    - Reads '/etc/pulp/server.conf'
    - Loads the RSA private key specified in the 'authentication' section, 'rsa_key' value in above config
    - calls `os.path.realpath` on provided file paths. These links will be in /var/www/pub/<something> and should resolve to something in /var/lib/pulp/content

Related issues

Blocks Pulp - Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp CLOSED - CURRENTRELEASE

Actions
Actions #1

Updated by mhrivnak almost 9 years ago

  • Priority changed from Normal to High
  • Sprint Candidate changed from No to Yes
Actions #2

Updated by bmbouter almost 9 years ago

This needs more detail to be actionable. Let's start with some questions:

What specifically are the new processes?
What selinux context do those processes run with normally? `ps -awfuxZ | grep <processname>` would show it.

Are there any new files that are created as part of the lazy work that are in a different location than before?
Do any of the new processes need to operate on those other files?

Actions #3

Updated by jcline@redhat.com almost 9 years ago

  • Description updated (diff)
Actions #4

Updated by jcline@redhat.com almost 9 years ago

  • Status changed from NEW to POST
  • Assignee set to jcline@redhat.com
Actions #5

Updated by jcline@redhat.com almost 9 years ago

  • Status changed from POST to ASSIGNED
  • Assignee changed from jcline@redhat.com to bmbouter
Actions #6

Updated by bmbouter almost 9 years ago

  • Platform Release set to 2.8.0
Actions #7

Updated by dkliban@redhat.com almost 9 years ago

  • Blocks Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp added

Added by bmbouter almost 9 years ago

Revision 718c24aa | View on GitHub

Adds pulp-streamer SELinux policy

closes #1459 https://pulp.plan.io/issues/1459

Added by bmbouter almost 9 years ago

Revision 718c24aa | View on GitHub

Adds pulp-streamer SELinux policy

closes #1459 https://pulp.plan.io/issues/1459

Actions #8

Updated by bmbouter almost 9 years ago

  • Status changed from ASSIGNED to POST

Added by bmbouter almost 9 years ago

Revision 8b0e0d9e | View on GitHub

Changes after feedback in #selinux on freenode

re #1459 https://pulp.plan.io/issues/1459

Added by bmbouter almost 9 years ago

Revision 8b0e0d9e | View on GitHub

Changes after feedback in #selinux on freenode

re #1459 https://pulp.plan.io/issues/1459

Actions #9

Updated by bmbouter almost 9 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

Added by bmbouter almost 9 years ago

Revision 500cbc58 | View on GitHub

Adds the pulp-streamer SELinux policy the spec file

re #1459 https://pulp.plan.io/issues/1459

Added by bmbouter almost 9 years ago

Revision 500cbc58 | View on GitHub

Adds the pulp-streamer SELinux policy the spec file

re #1459 https://pulp.plan.io/issues/1459

Added by bmbouter almost 9 years ago

Revision f47baa1f | View on GitHub

Restricts squid SELinux workaround to Fedora 23 only

re #1459 https://pulp.plan.io/issues/1459

Added by bmbouter almost 9 years ago

Revision f47baa1f | View on GitHub

Restricts squid SELinux workaround to Fedora 23 only

re #1459 https://pulp.plan.io/issues/1459

Actions #10

Updated by dkliban@redhat.com almost 9 years ago

  • Status changed from MODIFIED to 5

Added by rbarlow almost 9 years ago

Revision 5a3d9361 | View on GitHub

Add dev_read_urand to the pulp_streamer_t policy.

This commit adds an SELinux rule to allow the streamer to access /dev/urandom.

https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711

re #1459 fixes #1711

Added by rbarlow almost 9 years ago

Revision 5a3d9361 | View on GitHub

Add dev_read_urand to the pulp_streamer_t policy.

This commit adds an SELinux rule to allow the streamer to access /dev/urandom.

https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711

re #1459 fixes #1711

Added by bmbouter almost 9 years ago

Revision df7e5c5b | View on GitHub

Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy

Also removes inappropriate semicolons behind Refpol statements

re #1459 closes #1726 https://pulp.plan.io/issues/1726

Added by bmbouter almost 9 years ago

Revision df7e5c5b | View on GitHub

Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy

Also removes inappropriate semicolons behind Refpol statements

re #1459 closes #1726 https://pulp.plan.io/issues/1726

Actions #11

Updated by dkliban@redhat.com almost 9 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #12

Updated by bmbouter over 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF