Actions
Task #1811
closedGive importer certs their own SELinux label
Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2, SELinux
Sprint:
Quarter:
Description
If you configure a cert for an importer to use it should have its own SELinux filesystem type that is different from other Pulp content in /var/lib/pulp/
For example this cert:
/var/lib/pulp/importers/Default_Organization-Red_Hat_Enterprise_Linux_Server-Red_Hat_Enterprise_Linux_7_Server_RPMs_x86_64_7Server-yum_importer/pki/ca.crt
Currently gets these permissions:
-rw-------. apache apache
system_u:object_r:httpd_sys_rw_content_t:s0
Instead it should get some Pulp specific type so that there is significantly less read access to these files. The SELinux policies will also have to be updated to match.
Actions