Issue #5995: filecontext conflict with pulp2 - Pulp

Send by e-mail

Issue #5995

filecontext conflict with pulp2

Added by evgeni 5 months ago. Updated 28 days ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

dkliban@redhat.com

Category:

Sprint/Milestone:

3.2.0

Start date:

Due date:

Severity:

2. Medium

Version:

Platform Release:

Blocks Release:

OS:

Backwards Incompatible:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Katello, SELinux

QA Contact:

Complexity:

Smash Test:

Verified:

Verification Required:

Sprint:

Sprint 66

Description

pulp.fc currently defines

/var/lib/pulp(/.*)?     gen_context(system_u:object_r:pulpcore_var_lib_t,s0)

However, pulp-server.fc (https://github.com/pulp/pulp/blob/2-master/server/selinux/server/pulp-server.fc#L6) from pulp2 defines this as:

/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)

I'd expect this makes these two policies not co-installable.

Associated revisions

Revision c39312b3 View on GitHub
Added by dkliban@redhat.com 4 months ago

Renames /var/lib/pulp/static/ to /var/lib/pulp/assets/.

This directory name is already being used by Pulp 2. As a result the SELinux policies for Pulp 2 and Pulp 3 are conflicting. After this change, the two SELinux policies can explicitly name the directories inside /var/lib/pulp/ that they manage.

re: #5995 https://pulp.plan.io/issues/5995

Revision 4b79d71b View on GitHub
Added by dkliban@redhat.com 4 months ago

Lists all directories inside /var/lib/pulp/ that are used by pulpcore

This avoids having a conflict with the pulp-server 2.y.z SELinux policy which states:

/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)

re: #5995 https://pulp.plan.io/issues/5995

History

#1 Updated by bmbouter 5 months ago

Tags Katello-P2 added

Adding P2 label to identify the work priority w.r.t. Katello.

#2 Updated by fao89 5 months ago

Triaged changed from No to Yes

#3 Updated by evgeni 4 months ago

[root@centos7-katello-3-14 ~]# /usr/sbin/semodule -s  targeted -i /usr/share/selinux/targeted/pulpcore.pp
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/pulp(/.*)?  (system_u:object_r:pulpcore_var_lib_t:s0 and system_u:object_r:httpd_sys_rw_content_t:s0).
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule:  Failed!

#4 Updated by bmbouter 4 months ago

Status changed from NEW to ASSIGNED
Assignee set to bmbouter
Sprint set to Sprint 65

Adding to sprint as it's a Katello blocker.

The plan¶

We need to update the Pulp2 policy to claim only the folders inside /var/lib/pulp that it needs. Then the pulp3 policy needs to be updated the same.

What are the directory paths Pulp2 uses?
What are the directory paths Pulp3 uses?

#5 Updated by jsherril@redhat.com 4 months ago

On my combined pulp2/pulp3 box i see:

artifact
content
importers
init.flag
packages
published
static
tmp
upload
uploads

On my pure pulp2 box i see:

content
importers
init.flag
packages
published
static
uploads

#6 Updated by rchan 4 months ago

Sprint changed from Sprint 65 to Sprint 66

#7 Updated by dkliban@redhat.com 4 months ago

Description updated (diff)
Assignee changed from bmbouter to dkliban@redhat.com

#8 Updated by dkliban@redhat.com 4 months ago

The only overlapping directory is /var/lib/pulp/static/. We should change pulpcore to use /var/lib/pulp/pulpcore-static/ for it's static content. I am open to other name suggestions.

#9 Updated by daviddavis 4 months ago

+1 to rename. What about the name 'assets'?

#10 Updated by dkliban@redhat.com 4 months ago

I like 'assets'. To be clear, this is only going to change the directory name inside /var/lib/pulp. The URL for the files inside is still going to be /static/.