Issue #7041
closedMake disabling SELinux optional
Description
As a developer I should have the option to disable SELinux.
The following change removed the task that automatically disabled SELinux :
https://github.com/pulp/pulp_installer/pull/337/files#diff-88538467d3c51f54417e8cfeb0426bc4L17.
Having SELinux enabled breaks dev installs. Specifically, in a dev install where nginx config files are symlink'd to an external mount point, SELinux prevents nginx from starting.
Encountered this issue using Pulplift to provision pulp3-source-fedora31. The exact error in the nginx error log is: "[emerg] 19108#0: open() "/etc/nginx/pulp/galaxy_ng.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:73"
With SELinux disabled, the above error is resolved and nginx starts as expected.
Updated by chouseknecht almost 4 years ago
This is also breaking the galaxy_ng end-user install.
Specific log message from /var/log/messages...
SELinux is preventing gunicorn from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 349b4598-4659-4e35-a82f-191239aa17d2
Updated by pulpbot almost 4 years ago
- Status changed from NEW to POST
Updated by dkliban@redhat.com almost 4 years ago
It is not the responsibility of the installer to disable SELinux. The user should make that decision (in their playbook). The installer used to disable SELinux because there was no policy available. Now that a policy is available, we will improve the installer by having it compile and install the SELinux policy[0].
Updated by chouseknecht almost 4 years ago
I don't disagree that SELinux should be enforcing, in an ideal world. Sometimes the world is not ideal, and in such cases it would be nice if the installer provided a simple knob. This makes it much less of a headache for upstream projects like galaxy_ng to document any known exceptions where it might desirable to disable SELinux.
Updated by dkliban@redhat.com almost 4 years ago
- Status changed from POST to CLOSED - WONTFIX
The installer now sets SELinux to permissive. Once we add SELinux policy to the installer, the installer will not do anything to SELinux.