Make disabling SELinux optional
As a developer I should have the option to disable SELinux.
The following change removed the task that automatically disabled SELinux :
Having SELinux enabled breaks dev installs. Specifically, in a dev install where nginx config files are symlink'd to an external mount point, SELinux prevents nginx from starting.
Encountered this issue using Pulplift to provision pulp3-source-fedora31. The exact error in the nginx error log is: "[emerg] 19108#0: open() "/etc/nginx/pulp/galaxy_ng.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:73"
With SELinux disabled, the above error is resolved and nginx starts as expected.
#1 Updated by chouseknecht 8 days ago
This is also breaking the galaxy_ng end-user install.
Specific log message from /var/log/messages...
SELinux is preventing gunicorn from using the nnp_transition access on a process. For complete SELinux messages run: sealert -l 349b4598-4659-4e35-a82f-191239aa17d2
#3 Updated by firstname.lastname@example.org 8 days ago
It is not the responsibility of the installer to disable SELinux. The user should make that decision (in their playbook). The installer used to disable SELinux because there was no policy available. Now that a policy is available, we will improve the installer by having it compile and install the SELinux policy.
#4 Updated by chouseknecht 8 days ago
I don't disagree that SELinux should be enforcing, in an ideal world. Sometimes the world is not ideal, and in such cases it would be nice if the installer provided a simple knob. This makes it much less of a headache for upstream projects like galaxy_ng to document any known exceptions where it might desirable to disable SELinux.
What is SELinux, and why is it slowing me down? The “SE” in SELinux stands for “Security-Enhanced” — and for good reason. I could probably write books about all the security aspects of a Linux system that can be managed by SELinux, but the important thing to know is that SELinux is like a watch-dog with nano-level focus on every part of your system in Linux at https://essaybox.org. It prevents unauthorized changes to files and directories and also prevents various protocols like HTTP and SSH from being used by various services and applications unless you explicitly allow that action.
Please register to edit this issue