Project

Profile

Help

Issue #7041

Make disabling SELinux optional

Added by chouseknecht 8 days ago. Updated 1 day ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
Installer
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:

Description

As a developer I should have the option to disable SELinux.

The following change removed the task that automatically disabled SELinux :

https://github.com/pulp/pulp_installer/pull/337/files#diff-88538467d3c51f54417e8cfeb0426bc4L17.

Having SELinux enabled breaks dev installs. Specifically, in a dev install where nginx config files are symlink'd to an external mount point, SELinux prevents nginx from starting.

Encountered this issue using Pulplift to provision pulp3-source-fedora31. The exact error in the nginx error log is: "[emerg] 19108#0: open() "/etc/nginx/pulp/galaxy_ng.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:73"

With SELinux disabled, the above error is resolved and nginx starts as expected.

History

#1 Updated by chouseknecht 8 days ago

This is also breaking the galaxy_ng end-user install.

Specific log message from /var/log/messages...

SELinux is preventing gunicorn from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 349b4598-4659-4e35-a82f-191239aa17d2

#2 Updated by pulpbot 8 days ago

  • Status changed from NEW to POST

#3 Updated by dkliban@redhat.com 8 days ago

It is not the responsibility of the installer to disable SELinux. The user should make that decision (in their playbook). The installer used to disable SELinux because there was no policy available. Now that a policy is available, we will improve the installer by having it compile and install the SELinux policy[0].

[0] https://pulp.plan.io/issues/7043

#4 Updated by chouseknecht 8 days ago

I don't disagree that SELinux should be enforcing, in an ideal world. Sometimes the world is not ideal, and in such cases it would be nice if the installer provided a simple knob. This makes it much less of a headache for upstream projects like galaxy_ng to document any known exceptions where it might desirable to disable SELinux.

#5 Updated by ElizaDuk 2 days ago

What is SELinux, and why is it slowing me down? The “SE” in SELinux stands for “Security-Enhanced” — and for good reason. I could probably write books about all the security aspects of a Linux system that can be managed by SELinux, but the important thing to know is that SELinux is like a watch-dog with nano-level focus on every part of your system in Linux at https://essaybox.org. It prevents unauthorized changes to files and directories and also prevents various protocols like HTTP and SSH from being used by various services and applications unless you explicitly allow that action.

#6 Updated by dkliban@redhat.com 1 day ago

  • Status changed from POST to CLOSED - WONTFIX

The installer now sets SELinux to permissive. Once we add SELinux policy to the installer, the installer will not do anything to SELinux.

Please register to edit this issue

Also available in: Atom PDF