As a user, I have pulp_installer compile and install the pulpcore-selinux policy
On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository, compile the policy inside of it, and install the policy, label all the ports used by pulp services.
File Path Requirements/Details¶
The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file here.
On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.
On dev systems, a new .fc file will need to be generated as well for the dev environment.
Alternatively, we can call commands/modules to update the label database with these changed paths.
Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.
Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)
Which version of pulpcore-selinux gets installed?¶
Currently the "master" branch. Alternatives, like tagged releases, are TBD.
How to test branches of pulpcore-selinux?¶
The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via
__pulp_selinux_version. We should set these in molecule vars files for CI when needed.
Provide support for disabling SELinux in the installer?¶
This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.
Installing the 1 package for the ports should be in pulp_api & pulp_content roles.¶
Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)
Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.¶
Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)
Support for dev mode installs, with pulp source installed in editable mode?¶
Tracked via: https://pulp.plan.io/issues/97
- Tags SELinux added
Current SELinux policy (pulp/pulpcore-selinux) is missing some rules
-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat
kernel_getattr_proc(pulpcore_t) kernel_search_proc(pulpcore_t) kernel_list_proc(pulpcore_t) kernel_getattr_proc_files(pulpcore_t) kernel_read_proc_symlinks(pulpcore_t)
-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5
optional_policy(` kerberos_use(pulpcore_t) ') optional_policy(` kerberos_read_keytab(pulpcore_t) ') corenet_tcp_connect_kerberos_password_port(pulpcore_t)
For some reasons anything under
/var/run does not get trnaistion properly I haven't found the reason why yet
#5 Updated by firstname.lastname@example.org about 1 month ago
FYI, right now for RPM-based installs, a package (such as
pulpcore-selinux) gets installed:
Please register to edit this issue