Task #1459
closedStory #1150: As a user, I can lazily fetch repositories
Update SELinux rules for lazy sync
100%
Description
Lazy sync introduces several new WSGI applications, processes, files, etc. SELinux rules need to be written to support lazy.
The following processes are new:
- squid
- I expect this to already have an SELinux policy somewhere and we probably don't need to do anything.
- pulp_streamer
- Currently set to run as the 'apache' user.
- Launches a twistd application in /srv/pulp/streamer.tac
- Its systemd unit and init script can be found in the streamer package in pulp for more information
- Currently runs in the 'system_u:system_r:unconfined_service_t:s0' context
- Reads a configuration file at '/etc/pulp/streamer.conf'
- Communicates with MongoDB
In addition to those processes, there are two new WSGI applications:
- streamer_auth.wsgi
- Reads '/etc/pulp/server.conf'
- Loads the RSA public key specified in the 'authentication' section, 'rsa_pub' value in above config
- content.wsgi
- Reads '/etc/pulp/server.conf'
- Loads the RSA private key specified in the 'authentication' section, 'rsa_key' value in above config
- calls `os.path.realpath` on provided file paths. These links will be in /var/www/pub/<something> and should resolve to something in /var/lib/pulp/content
Related issues
Updated by mhrivnak almost 9 years ago
- Priority changed from Normal to High
- Sprint Candidate changed from No to Yes
Updated by bmbouter almost 9 years ago
This needs more detail to be actionable. Let's start with some questions:
What specifically are the new processes?
What selinux context do those processes run with normally? `ps -awfuxZ | grep <processname>` would show it.
Are there any new files that are created as part of the lazy work that are in a different location than before?
Do any of the new processes need to operate on those other files?
Updated by jcline@redhat.com almost 9 years ago
- Status changed from NEW to POST
- Assignee set to jcline@redhat.com
Updated by jcline@redhat.com almost 9 years ago
- Status changed from POST to ASSIGNED
- Assignee changed from jcline@redhat.com to bmbouter
Updated by dkliban@redhat.com almost 9 years ago
- Blocks Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp added
Added by bmbouter almost 9 years ago
Added by bmbouter almost 9 years ago
Revision 718c24aa | View on GitHub
Adds pulp-streamer SELinux policy
Updated by bmbouter almost 9 years ago
- Status changed from ASSIGNED to POST
PR available at: https://github.com/pulp/pulp/pull/2433
Added by bmbouter almost 9 years ago
Revision 8b0e0d9e | View on GitHub
Changes after feedback in #selinux on freenode
Added by bmbouter almost 9 years ago
Revision 8b0e0d9e | View on GitHub
Changes after feedback in #selinux on freenode
Updated by bmbouter almost 9 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|718c24aa32b75de032d5e6b46c5077e919e2db17.
Added by bmbouter almost 9 years ago
Revision 500cbc58 | View on GitHub
Adds the pulp-streamer SELinux policy the spec file
Added by bmbouter almost 9 years ago
Revision 500cbc58 | View on GitHub
Adds the pulp-streamer SELinux policy the spec file
Added by bmbouter almost 9 years ago
Revision f47baa1f | View on GitHub
Restricts squid SELinux workaround to Fedora 23 only
Added by bmbouter almost 9 years ago
Revision f47baa1f | View on GitHub
Restricts squid SELinux workaround to Fedora 23 only
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from MODIFIED to 5
Added by rbarlow almost 9 years ago
Revision 5a3d9361 | View on GitHub
Add dev_read_urand to the pulp_streamer_t policy.
This commit adds an SELinux rule to allow the streamer to access /dev/urandom.
https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711
Added by rbarlow almost 9 years ago
Revision 5a3d9361 | View on GitHub
Add dev_read_urand to the pulp_streamer_t policy.
This commit adds an SELinux rule to allow the streamer to access /dev/urandom.
https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711
Added by bmbouter almost 9 years ago
Revision df7e5c5b | View on GitHub
Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy
Also removes inappropriate semicolons behind Refpol statements
re #1459 closes #1726 https://pulp.plan.io/issues/1726
Added by bmbouter almost 9 years ago
Revision df7e5c5b | View on GitHub
Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy
Also removes inappropriate semicolons behind Refpol statements
re #1459 closes #1726 https://pulp.plan.io/issues/1726
Updated by dkliban@redhat.com almost 9 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Adds pulp-streamer SELinux policy
closes #1459 https://pulp.plan.io/issues/1459