Task #2415
closed
Make pulp-smash jobs run with SELinux in Permissive mode
Description
The nightly jobs that install Pulp and run pulp-smash should take a parameter that determines the state of SELinux on the server running Pulp. The default should set SELinux to permissive mode. In both cases /var/log/audit/audit.log should be captured for the duration of pulp-smash run. If audit.log contains any references to 'celery_t', the job should be marked as Unstable. The full audit.log should be preserved.
This will require updating the job definition in pulp_packaging.
- Sprint Candidate changed from No to Yes
dkliban@redhat.com wrote:
If audit.log contains any references to 'celery_t', the job should be marked as Unstable. The full audit.log should be preserved.
I think that if any denials are seen, not just ones related to celery_t, the build should be unstable. Is there a particular reason for limiting it to just this label?
Assuming that there is a pulp-smash test which verifies that the processes have transitioned their SELinux process contexts correctly, I think we should only grep for SELinux contexts of the processes we are running as. Specifically that would be:
httpd_t
celery_t
streamer_t
- Sprint Candidate changed from Yes to No
- Status changed from NEW to CLOSED - WONTFIX
Pulp 2 is approaching maintenance mode, and this Pulp 2 ticket is not being actively worked on. As such, it is being closed as WONTFIX. Pulp 2 is still accepting contributions though, so if you want to contribute a fix for this ticket, please reopen or comment on it. If you don't have permissions to reopen this ticket, or you want to discuss an issue, please reach out via the developer mailing list.
Also available in: Atom
PDF