Issue #5995
closed
filecontext conflict with pulp2
Description
pulp.fc currently defines
/var/lib/pulp(/.*)? gen_context(system_u:object_r:pulpcore_var_lib_t,s0)
However, pulp-server.fc (https://github.com/pulp/pulp/blob/2-master/server/selinux/server/pulp-server.fc#L6) from pulp2 defines this as:
/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
I'd expect this makes these two policies not co-installable.
Updated by bmbouter almost 5 years ago
- Tags Katello-P2 added
Adding P2 label to identify the work priority w.r.t. Katello.
Updated by evgeni almost 5 years ago
[root@centos7-katello-3-14 ~]# /usr/sbin/semodule -s targeted -i /usr/share/selinux/targeted/pulpcore.pp
/etc/selinux/final/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/pulp(/.*)? (system_u:object_r:pulpcore_var_lib_t:s0 and system_u:object_r:httpd_sys_rw_content_t:s0).
/etc/selinux/final/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_validate_and_compile_fcontexts: setfiles returned error code 1.
/usr/sbin/semodule: Failed!
Updated by bmbouter almost 5 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
- Sprint set to Sprint 65
Adding to sprint as it's a Katello blocker.
The plan¶
We need to update the Pulp2 policy to claim only the folders inside /var/lib/pulp that it needs. Then the pulp3 policy needs to be updated the same.
What are the directory paths Pulp2 uses?
What are the directory paths Pulp3 uses?
Updated by jsherril@redhat.com almost 5 years ago
On my combined pulp2/pulp3 box i see:
artifact
content
importers
init.flag
packages
published
static
tmp
upload
uploads
On my pure pulp2 box i see:
content
importers
init.flag
packages
published
static
uploads
Updated by dkliban@redhat.com almost 5 years ago
- Description updated (diff)
- Assignee changed from bmbouter to dkliban@redhat.com
Updated by dkliban@redhat.com almost 5 years ago
The only overlapping directory is /var/lib/pulp/static/. We should change pulpcore to use /var/lib/pulp/pulpcore-static/ for it's static content. I am open to other name suggestions.
Updated by daviddavis almost 5 years ago
+1 to rename. What about the name 'assets'?
Updated by dkliban@redhat.com almost 5 years ago
I like 'assets'. To be clear, this is only going to change the directory name inside /var/lib/pulp. The URL for the files inside is still going to be /static/.
Added by dkliban@redhat.com almost 5 years ago
Updated by dkliban@redhat.com almost 5 years ago
Here is the first PR to rename the directory in pulpcore: https://github.com/pulp/pulpcore/pull/533
I also discovered that the installer is not properly configuring nginx and apache to serve the static content: https://pulp.plan.io/issues/6128
Added by dkliban@redhat.com almost 5 years ago
Revision 4b79d71b | View on GitHub
Lists all directories inside /var/lib/pulp/ that are used by pulpcore
This avoids having a conflict with the pulp-server 2.y.z SELinux policy which states:
/var/lib/pulp(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
Updated by dkliban@redhat.com almost 5 years ago
Here is the SELinux policy change PR: https://github.com/pulp/pulpcore-selinux/pull/12
Updated by dkliban@redhat.com almost 5 years ago
- Status changed from ASSIGNED to MODIFIED
Updated by daviddavis over 4 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Updated by ggainey over 4 years ago
- Tags Katello added
- Tags deleted (
Katello-P2)
.
Renames /var/lib/pulp/static/ to /var/lib/pulp/assets/.
This directory name is already being used by Pulp 2. As a result the SELinux policies for Pulp 2 and Pulp 3 are conflicting. After this change, the two SELinux policies can explicitly name the directories inside /var/lib/pulp/ that they manage.
re: #5995 https://pulp.plan.io/issues/5995