Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #7041

closed

Make disabling SELinux optional

Added by chouseknecht almost 4 years ago. Updated almost 4 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

As a developer I should have the option to disable SELinux.

The following change removed the task that automatically disabled SELinux :

https://github.com/pulp/pulp_installer/pull/337/files#diff-88538467d3c51f54417e8cfeb0426bc4L17.

Having SELinux enabled breaks dev installs. Specifically, in a dev install where nginx config files are symlink'd to an external mount point, SELinux prevents nginx from starting.

Encountered this issue using Pulplift to provision pulp3-source-fedora31. The exact error in the nginx error log is: "[emerg] 19108#0: open() "/etc/nginx/pulp/galaxy_ng.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:73"

With SELinux disabled, the above error is resolved and nginx starts as expected.

Actions
Copy link
 #1

Updated by chouseknecht almost 4 years ago

This is also breaking the galaxy_ng end-user install.

Specific log message from /var/log/messages...

SELinux is preventing gunicorn from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 349b4598-4659-4e35-a82f-191239aa17d2
Actions
Copy link
 #2

Updated by pulpbot almost 4 years ago

  • Status changed from NEW to POST
Actions
Copy link
 #3

Updated by dkliban@redhat.com almost 4 years ago

It is not the responsibility of the installer to disable SELinux. The user should make that decision (in their playbook). The installer used to disable SELinux because there was no policy available. Now that a policy is available, we will improve the installer by having it compile and install the SELinux policy[0].

[0] https://pulp.plan.io/issues/7043

Actions
Copy link
 #4

Updated by chouseknecht almost 4 years ago

I don't disagree that SELinux should be enforcing, in an ideal world. Sometimes the world is not ideal, and in such cases it would be nice if the installer provided a simple knob. This makes it much less of a headache for upstream projects like galaxy_ng to document any known exceptions where it might desirable to disable SELinux.

Actions
Copy link
 #5

Updated by dkliban@redhat.com almost 4 years ago

  • Status changed from POST to CLOSED - WONTFIX

The installer now sets SELinux to permissive. Once we add SELinux policy to the installer, the installer will not do anything to SELinux.

Actions
Send by e-mail Copy link

Also available in: Atom PDF