Issue #5995
filecontext conflict with pulp2
Description
pulp.fc currently defines
/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulpcore_var_lib_t,s0)
However, pulp-server.fc (https://github.com/pulp/pulp/blob/2-master/server/selinux/server/pulp-server.fc#L6) from pulp2 defines this as:
/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
I'd expect this makes these two policies not co-installable.
Associated revisions
Revision 4b79d71b
View on GitHub
Lists all directories inside /var/lib/pulp/ that are used by pulpcore
This avoids having a conflict with the pulp-server 2.y.z SELinux policy which states:
/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
History
#3
Updated by evgeni 7 months ago
[root@centos7-katello-3-14 ~]# /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/pulpcore.pp
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/pulp(/.*)? (system_u:object_r:pulpcore_var_lib_t:s0 and system_u:object_r:httpd_sys_rw_content_t:s0).
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule: Failed!
#4
Updated by bmbouter 6 months ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
- Sprint set to Sprint 65
Adding to sprint as it's a Katello blocker.
The plan¶
We need to update the Pulp2 policy to claim only the folders inside /var/lib/pulp that it needs. Then the pulp3 policy needs to be updated the same.
What are the directory paths Pulp2 uses?
What are the directory paths Pulp3 uses?
#5
Updated by jsherril@redhat.com 6 months ago
On my combined pulp2/pulp3 box i see:
artifact
content
importers
init.flag
packages
published
static
tmp
upload
uploads
On my pure pulp2 box i see:
content
importers
init.flag
packages
published
static
uploads
#7
Updated by dkliban@redhat.com 6 months ago
- Description updated (diff)
- Assignee changed from bmbouter to dkliban@redhat.com
#8
Updated by dkliban@redhat.com 6 months ago
The only overlapping directory is /var/lib/pulp/static/. We should change pulpcore to use /var/lib/pulp/pulpcore-static/ for it's static content. I am open to other name suggestions.
#9
Updated by daviddavis 6 months ago
+1 to rename. What about the name 'assets'?
#10
Updated by dkliban@redhat.com 6 months ago
I like 'assets'. To be clear, this is only going to change the directory name inside /var/lib/pulp. The URL for the files inside is still going to be /static/.
#11
Updated by dkliban@redhat.com 6 months ago
Here is the first PR to rename the directory in pulpcore: https://github.com/pulp/pulpcore/pull/533
I also discovered that the installer is not properly configuring nginx and apache to serve the static content: https://pulp.plan.io/issues/6128
#12
Updated by dkliban@redhat.com 6 months ago
Here is the SELinux policy change PR: https://github.com/pulp/pulpcore-selinux/pull/12
#13
Updated by dkliban@redhat.com 6 months ago
- Status changed from ASSIGNED to MODIFIED
#14
Updated by daviddavis 5 months ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
#15
Updated by daviddavis 5 months ago
- Sprint/Milestone set to 3.2.0
Please register to edit this issue
.
Renames /var/lib/pulp/static/ to /var/lib/pulp/assets/.
This directory name is already being used by Pulp 2. As a result the SELinux policies for Pulp 2 and Pulp 3 are conflicting. After this change, the two SELinux policies can explicitly name the directories inside /var/lib/pulp/ that they manage.
re: #5995 https://pulp.plan.io/issues/5995