Project

Profile

Help

Story #7043

As a user, I have pulp_installer compile and install the pulpcore-selinux policy

Added by dkliban@redhat.com 8 days ago. Updated 2 days ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
Installer
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:

Description

Overview

On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].

[0] https://github.com/pulp/pulpcore-selinux [1] https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port

File Path Requirements/Details

The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file here.

On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.

On dev systems, a new .fc file will need to be generated as well for the dev environment.

History

#1 Updated by bmbouter 8 days ago

  • Description updated (diff)

#2 Updated by bmbouter 8 days ago

  • Description updated (diff)

#3 Updated by spredzy 2 days ago

  • Tags SELinux added

Current SELinux policy (pulp/pulpcore-selinux) is missing some rules

-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat

kernel_getattr_proc(pulpcore_t)
kernel_search_proc(pulpcore_t)
kernel_list_proc(pulpcore_t)
kernel_getattr_proc_files(pulpcore_t)
kernel_read_proc_symlinks(pulpcore_t)

-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5

optional_policy(`
    kerberos_use(pulpcore_t)
')                                                                                                                      
optional_policy(`
    kerberos_read_keytab(pulpcore_t)
')
corenet_tcp_connect_kerberos_password_port(pulpcore_t)

For some reasons anything under /var/run does not get trnaistion properly I haven't found the reason why yet

Please register to edit this issue

Also available in: Atom PDF