Project

Profile

Help

Story #7043

As a user, I have pulp_installer compile and install the pulpcore-selinux policy

Added by dkliban@redhat.com 3 months ago. Updated 4 days ago.

Status:
ASSIGNED
Priority:
Normal
Category:
Installer
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
(Total: 0:00 h)
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:
Sprint 82
Quarter:

Description

Overview

On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].

[0] https://github.com/pulp/pulpcore-selinux [1] https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port

File Path Requirements/Details

The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file here.

On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.

On dev systems, a new .fc file will need to be generated as well for the dev environment.

Alternatively, we can call commands/modules to update the label database with these changed paths.

install-from-RPM mode

Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.

Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)

Which version of pulpcore-selinux gets installed?

Currently the "master" branch. Alternatives, like tagged releases, are TBD.

How to test branches of pulpcore-selinux?

The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via __pulp_selinux_repo and __pulp_selinux_version. We should set these in molecule vars files for CI when needed.

Provide support for disabling SELinux in the installer?

This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.

Installing the 1 package for the ports should be in pulp_api & pulp_content roles.

Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)

Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.

Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)

Support for dev mode installs, with pulp source installed in editable mode?

Tracked via: https://pulp.plan.io/issues/97


Subtasks

Task #7573: pulp_installer should no longer set SELinux to permissiveNEWmdepaulo@redhat.com

Actions
Task #7574: pulp_installer should compile & install the pulpcore-selinux policy when no paths are changedNEWmdepaulo@redhat.com

Actions
Task #7575: pulp_installer's SELinux support should handle folder paths being changedNEW

Actions

Related issues

Related to Pulp - Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environmentNEW

<a title="Actions" class="icon-only icon-actions js-contextmenu" href="#">Actions</a>

History

#1 Updated by bmbouter 3 months ago

  • Description updated (diff)

#2 Updated by bmbouter 3 months ago

  • Description updated (diff)

#3 Updated by spredzy 3 months ago

  • Tags SELinux added

Current SELinux policy (pulp/pulpcore-selinux) is missing some rules

-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat

kernel_getattr_proc(pulpcore_t)
kernel_search_proc(pulpcore_t)
kernel_list_proc(pulpcore_t)
kernel_getattr_proc_files(pulpcore_t)
kernel_read_proc_symlinks(pulpcore_t)

-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5

optional_policy(`
    kerberos_use(pulpcore_t)
')                                                                                                                      
optional_policy(`
    kerberos_read_keytab(pulpcore_t)
')
corenet_tcp_connect_kerberos_password_port(pulpcore_t)

For some reasons anything under /var/run does not get trnaistion properly I haven't found the reason why yet

#4 Updated by mdepaulo@redhat.com about 1 month ago

  • Assignee set to mdepaulo@redhat.com
  • Sprint set to Sprint 80

#5 Updated by mdepaulo@redhat.com about 1 month ago

FYI, right now for RPM-based installs, a package (such as pulpcore-selinux) gets installed: https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/defaults/main.yml#L51

#6 Updated by rchan 25 days ago

  • Sprint changed from Sprint 80 to Sprint 81

#7 Updated by rchan 11 days ago

  • Sprint changed from Sprint 81 to Sprint 82

#8 Updated by mdepaulo@redhat.com 8 days ago

  • Description updated (diff)

#9 Updated by mdepaulo@redhat.com 8 days ago

  • Description updated (diff)

#10 Updated by pulpbot 8 days ago

  • Status changed from NEW to POST

#11 Updated by mdepaulo@redhat.com 4 days ago

  • Status changed from POST to ASSIGNED

#12 Updated by mdepaulo@redhat.com 4 days ago

  • Description updated (diff)

#13 Updated by mdepaulo@redhat.com 4 days ago

  • Description updated (diff)

#14 Updated by mdepaulo@redhat.com 4 days ago

  • Related to Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment added

Please register to edit this issue

Also available in: Atom PDF