Task #2415
closed
Make pulp-smash jobs run with SELinux in Permissive mode
0%
Description
The nightly jobs that install Pulp and run pulp-smash should take a parameter that determines the state of SELinux on the server running Pulp. The default should set SELinux to permissive mode. In both cases /var/log/audit/audit.log should be captured for the duration of pulp-smash run. If audit.log contains any references to 'celery_t', the job should be marked as Unstable. The full audit.log should be preserved.
This will require updating the job definition in pulp_packaging.
Updated by dkliban@redhat.com over 7 years ago
- Sprint Candidate changed from No to Yes
Updated by semyers over 7 years ago
dkliban@redhat.com wrote:
If audit.log contains any references to 'celery_t', the job should be marked as Unstable. The full audit.log should be preserved.
I think that if any denials are seen, not just ones related to celery_t, the build should be unstable. Is there a particular reason for limiting it to just this label?
Updated by dkliban@redhat.com over 7 years ago
I think there are always going to be denials present that are caused by other processes on the system. However, you are right that we should not limit it to just celery_t. We should grep for all the contexts that we require in our SELInux policies[0-2]. I think the full list of contexts we are interested in are:
celery_t
celery_exec_t
httpd_sys_rw_content_t
pulp_var_run_t
pulp_tmp_t
pulp_var_cache_t
pulp_cert_t
puppet_etc_t
tmp_t
httpd_t
streamer_t
streamer_exec_t
pulp_streamer_tmp_t
squid_t
rpm_exec_t
proc_t
[0] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-server.te
[1] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-celery.te
[2] https://github.com/pulp/pulp/blob/master/server/selinux/server/pulp-streamer.te
Updated by bmbouter over 7 years ago
Assuming that there is a pulp-smash test which verifies that the processes have transitioned their SELinux process contexts correctly, I think we should only grep for SELinux contexts of the processes we are running as. Specifically that would be:
httpd_t
celery_t
streamer_t
Updated by amacdona@redhat.com over 5 years ago
- Sprint Candidate changed from Yes to No
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Updated by bmbouter about 5 years ago
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
.