Project

Profile

Help

Story #7043

open

As a user, I have pulp_installer compile and install the pulpcore-selinux policy

Added by dkliban@redhat.com over 4 years ago. Updated almost 3 years ago.

Status:
ASSIGNED
Priority:
Normal
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
% Done:

67%

Estimated time:
(Total: 0:00 h)
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:
Sprint 112
Quarter:

Description

Overview

On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].

[0] https://github.com/pulp/pulpcore-selinux [1] https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port

File Path Requirements/Details

The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file here.

On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.

On dev systems, a new .fc file will need to be generated as well for the dev environment.

Alternatively, we can call commands/modules to update the label database with these changed paths.

install-from-RPM mode

Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.

Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)

Which version of pulpcore-selinux gets installed?

Currently the "master" branch. Alternatives, like tagged releases, are TBD.

How to test branches of pulpcore-selinux?

The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via __pulp_selinux_repo and __pulp_selinux_version. We should set these in molecule vars files for CI when needed.

Provide support for disabling SELinux in the installer?

This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.

Installing the 1 package for the ports should be in pulp_api & pulp_content roles.

Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)

Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.

Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)

Support for dev mode installs, with pulp source installed in editable mode?

Tracked via: https://pulp.plan.io/issues/97


Sub-issues 3 (1 open2 closed)

Task #7573: pulp_installer should no longer set SELinux to permissiveCLOSED - CURRENTRELEASEmdepaulo@redhat.com

Actions
Task #7574: pulp_installer should compile & install the pulpcore-selinux policy when no paths are changedCLOSED - CURRENTRELEASEmdepaulo@redhat.com

Actions
Task #7575: pulp_installer's SELinux support should handle folder paths being changedNEW

Actions

Related issues

Related to Pulp - Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environmentNEW

Actions
Actions #1

Updated by bmbouter over 4 years ago

  • Description updated (diff)
Actions #2

Updated by bmbouter over 4 years ago

  • Description updated (diff)
Actions #3

Updated by spredzy over 4 years ago

  • Tags SELinux added

Current SELinux policy (pulp/pulpcore-selinux) is missing some rules

-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat

kernel_getattr_proc(pulpcore_t)
kernel_search_proc(pulpcore_t)
kernel_list_proc(pulpcore_t)
kernel_getattr_proc_files(pulpcore_t)
kernel_read_proc_symlinks(pulpcore_t)

-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5

optional_policy(`
    kerberos_use(pulpcore_t)
')                                                                                                                      
optional_policy(`
    kerberos_read_keytab(pulpcore_t)
')
corenet_tcp_connect_kerberos_password_port(pulpcore_t)

For some reasons anything under /var/run does not get trnaistion properly I haven't found the reason why yet

Actions #4

Updated by mdepaulo@redhat.com over 4 years ago

  • Assignee set to mdepaulo@redhat.com
  • Sprint set to Sprint 80
Actions #5

Updated by mdepaulo@redhat.com over 4 years ago

FYI, right now for RPM-based installs, a package (such as pulpcore-selinux) gets installed: https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/defaults/main.yml#L51

Actions #6

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 80 to Sprint 81
Actions #7

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 81 to Sprint 82
Actions #8

Updated by mdepaulo@redhat.com about 4 years ago

  • Description updated (diff)
Actions #9

Updated by mdepaulo@redhat.com about 4 years ago

  • Description updated (diff)
Actions #10

Updated by pulpbot about 4 years ago

  • Status changed from NEW to POST
Actions #11

Updated by mdepaulo@redhat.com about 4 years ago

  • Status changed from POST to ASSIGNED
Actions #12

Updated by mdepaulo@redhat.com about 4 years ago

  • Description updated (diff)
Actions #13

Updated by mdepaulo@redhat.com about 4 years ago

  • Description updated (diff)
Actions #14

Updated by mdepaulo@redhat.com about 4 years ago

  • Related to Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment added
Actions #15

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 82 to Sprint 83
Actions #16

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 83 to Sprint 84
Actions #17

Updated by mdepaulo@redhat.com about 4 years ago

spredzy wrote:

Current SELinux policy (pulp/pulpcore-selinux) is missing some rules

-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat

kernel_getattr_proc(pulpcore_t)
kernel_search_proc(pulpcore_t)
kernel_list_proc(pulpcore_t)
kernel_getattr_proc_files(pulpcore_t)
kernel_read_proc_symlinks(pulpcore_t)

-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5

optional_policy(`
    kerberos_use(pulpcore_t)
')                                                                                                                      
optional_policy(`
    kerberos_read_keytab(pulpcore_t)
')
corenet_tcp_connect_kerberos_password_port(pulpcore_t)

For some reasons anything under /var/run does not get trnaistion properly I haven't found the reason why yet

This was addressed in pulpcore-selinux 1.1.0: https://github.com/pulp/pulpcore-selinux/releases/tag/1.1.0

This epic, as partially implemented, installs 1.1.x in pip mode via an internal variable for the version. And it installs the latest version (in the RPM repo) in RPM mode.

Therefore, this issue is resolved.

Actions #18

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 84 to Sprint 85
Actions #19

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 85 to Sprint 86
Actions #20

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 86 to Sprint 87
Actions #21

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 87 to Sprint 88
Actions #22

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 88 to Sprint 89
Actions #23

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 89 to Sprint 90
Actions #24

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 90 to Sprint 91
Actions #25

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 91 to Sprint 92
Actions #26

Updated by rchan almost 4 years ago

  • Sprint changed from Sprint 92 to Sprint 93
Actions #27

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 93 to Sprint 94
Actions #28

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 94 to Sprint 95
Actions #29

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 95 to Sprint 96
Actions #30

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 96 to Sprint 97
Actions #31

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 97 to Sprint 98
Actions #32

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 98 to Sprint 99
Actions #33

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 99 to Sprint 100
Actions #34

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 100 to Sprint 101
Actions #35

Updated by ipanova@redhat.com over 3 years ago

  • Sprint changed from Sprint 101 to Sprint 102
Actions #36

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 102 to Sprint 103
Actions #37

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 103 to Sprint 104
Actions #38

Updated by rchan over 3 years ago

  • Sprint changed from Sprint 104 to Sprint 105
Actions #39

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 105 to Sprint 106
Actions #40

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 106 to Sprint 107
Actions #41

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 107 to Sprint 108
Actions #42

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 108 to Sprint 109
Actions #43

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 109 to Sprint 110
Actions #44

Updated by rchan about 3 years ago

  • Sprint changed from Sprint 110 to Sprint 111
Actions #45

Updated by rchan almost 3 years ago

  • Sprint changed from Sprint 111 to Sprint 112

Also available in: Atom PDF