Project

Profile

Help

Task #1459

Story #1150: As a user, I can lazily fetch repositories

Update SELinux rules for lazy sync

Added by jcline@redhat.com almost 6 years ago. Updated over 2 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
2.8.0
Groomed:
No
Sprint Candidate:
Yes
Tags:
Pulp 2
Sprint:
Quarter:

Description

Lazy sync introduces several new WSGI applications, processes, files, etc. SELinux rules need to be written to support lazy.

The following processes are new:

  • squid
    - I expect this to already have an SELinux policy somewhere and we probably don't need to do anything.
  • pulp_streamer
    - Currently set to run as the 'apache' user.
    - Launches a twistd application in /srv/pulp/streamer.tac
    - Its systemd unit and init script can be found in the streamer package in pulp for more information
    - Currently runs in the 'system_u:system_r:unconfined_service_t:s0' context
    - Reads a configuration file at '/etc/pulp/streamer.conf'
    - Communicates with MongoDB

In addition to those processes, there are two new WSGI applications:

  • streamer_auth.wsgi
    - Reads '/etc/pulp/server.conf'
    - Loads the RSA public key specified in the 'authentication' section, 'rsa_pub' value in above config
  • content.wsgi
    - Reads '/etc/pulp/server.conf'
    - Loads the RSA private key specified in the 'authentication' section, 'rsa_key' value in above config
    - calls `os.path.realpath` on provided file paths. These links will be in /var/www/pub/<something> and should resolve to something in /var/lib/pulp/content

Related issues

Blocks Pulp - Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp CLOSED - CURRENTRELEASE

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

Associated revisions

Revision 718c24aa View on GitHub
Added by bmbouter over 5 years ago

Adds pulp-streamer SELinux policy

closes #1459 https://pulp.plan.io/issues/1459

Revision 718c24aa View on GitHub
Added by bmbouter over 5 years ago

Adds pulp-streamer SELinux policy

closes #1459 https://pulp.plan.io/issues/1459

Revision 8b0e0d9e View on GitHub
Added by bmbouter over 5 years ago

Changes after feedback in #selinux on freenode

re #1459 https://pulp.plan.io/issues/1459

Revision 8b0e0d9e View on GitHub
Added by bmbouter over 5 years ago

Changes after feedback in #selinux on freenode

re #1459 https://pulp.plan.io/issues/1459

Revision 500cbc58 View on GitHub
Added by bmbouter over 5 years ago

Adds the pulp-streamer SELinux policy the spec file

re #1459 https://pulp.plan.io/issues/1459

Revision 500cbc58 View on GitHub
Added by bmbouter over 5 years ago

Adds the pulp-streamer SELinux policy the spec file

re #1459 https://pulp.plan.io/issues/1459

Revision f47baa1f View on GitHub
Added by bmbouter over 5 years ago

Restricts squid SELinux workaround to Fedora 23 only

re #1459 https://pulp.plan.io/issues/1459

Revision f47baa1f View on GitHub
Added by bmbouter over 5 years ago

Restricts squid SELinux workaround to Fedora 23 only

re #1459 https://pulp.plan.io/issues/1459

Revision 5a3d9361 View on GitHub
Added by rbarlow over 5 years ago

Add dev_read_urand to the pulp_streamer_t policy.

This commit adds an SELinux rule to allow the streamer to access /dev/urandom.

https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711

re #1459 fixes #1711

Revision 5a3d9361 View on GitHub
Added by rbarlow over 5 years ago

Add dev_read_urand to the pulp_streamer_t policy.

This commit adds an SELinux rule to allow the streamer to access /dev/urandom.

https://pulp.plan.io/issues/1459 https://pulp.plan.io/issues/1711

re #1459 fixes #1711

Revision df7e5c5b View on GitHub
Added by bmbouter over 5 years ago

Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy

Also removes inappropriate semicolons behind Refpol statements

re #1459 closes #1726 https://pulp.plan.io/issues/1726

Revision df7e5c5b View on GitHub
Added by bmbouter over 5 years ago

Adds pulp_streamer_tmp_t to the pulp-streamer SELinux policy

Also removes inappropriate semicolons behind Refpol statements

re #1459 closes #1726 https://pulp.plan.io/issues/1726

History

#1 Updated by mhrivnak almost 6 years ago

  • Priority changed from Normal to High
  • Sprint Candidate changed from No to Yes

#2 Updated by bmbouter almost 6 years ago

This needs more detail to be actionable. Let's start with some questions:

What specifically are the new processes?
What selinux context do those processes run with normally? `ps -awfuxZ | grep <processname>` would show it.

Are there any new files that are created as part of the lazy work that are in a different location than before?
Do any of the new processes need to operate on those other files?

#3 Updated by jcline@redhat.com almost 6 years ago

  • Description updated (diff)

#4 Updated by jcline@redhat.com over 5 years ago

  • Status changed from NEW to POST
  • Assignee set to jcline@redhat.com

#5 Updated by jcline@redhat.com over 5 years ago

  • Status changed from POST to ASSIGNED
  • Assignee changed from jcline@redhat.com to bmbouter

#6 Updated by bmbouter over 5 years ago

  • Platform Release set to 2.8.0

#7 Updated by dkliban@redhat.com over 5 years ago

  • Blocks Task #1616: Turn on SELinux in Jenkins nightly deployments of Pulp added

#8 Updated by bmbouter over 5 years ago

  • Status changed from ASSIGNED to POST

#9 Updated by bmbouter over 5 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100

#10 Updated by dkliban@redhat.com over 5 years ago

  • Status changed from MODIFIED to 5

#11 Updated by dkliban@redhat.com over 5 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE

#12 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF