Story #7043
openAs a user, I have pulp_installer compile and install the pulpcore-selinux policy
67%
Description
Overview¶
On Red Hat systems, Pulp installer needs to clone pulpcore-selinux repository[0], compile the policy inside of it, and install the policy, label all the ports used by pulp services[1].
[0] https://github.com/pulp/pulpcore-selinux [1] https://github.com/pulp/pulpcore-selinux#labeling-pulpcore_port
File Path Requirements/Details¶
The SELinux policy is built assuming default file paths. For example things like /var/lib/pulp, etc. Those defaults are in the policy's ".fc" file here.
On producton systems when these paths are changed the compiled policy will need to generate a correct .fc file to use when compiling the policy.
On dev systems, a new .fc file will need to be generated as well for the dev environment.
Alternatively, we can call commands/modules to update the label database with these changed paths.
install-from-RPM mode¶
Currently not needed (Dennis & Mike), the policies get installed (pre-compiled) via pulpcore-selinux RPM package, which the installer defaults to installing.
Because /usr/bin/rq and /usr/bin/gunicorn are generic, this mode will require wrapper scripts like Katello creates. If we are to support this mode at all (usually policies are in a separate RPM package.)
Which version of pulpcore-selinux gets installed?¶
Currently the "master" branch. Alternatives, like tagged releases, are TBD.
How to test branches of pulpcore-selinux?¶
The git repo and branch ("master") are configurable via 2 private variables, but there is no "Required PR" support because it is a lot of work and may not pay off. They can be overriden via __pulp_selinux_repo
and __pulp_selinux_version.
We should set these in molecule vars files for CI when needed.
Provide support for disabling SELinux in the installer?¶
This is worth considering in case an incompatible plugin will be installed. However, universally disabling SELinux is outside of of the scope of the installer now.
Installing the 1 package for the ports should be in pulp_api & pulp_content roles.¶
Doing so would be ideal, but our current implementation of installing it in pulp_common is good enough. (Dennis & Mike)
Also install the policy for the other selinux modes (mls, strict & targeted), not just the current one.¶
Current is good enough, we do only targeted for Pulp 2. (Dennis & Mike)
Support for dev mode installs, with pulp source installed in editable mode?¶
Tracked via: https://pulp.plan.io/issues/97
Related issues
Updated by spredzy over 4 years ago
- Tags SELinux added
Current SELinux policy (pulp/pulpcore-selinux) is missing some rules
-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat
kernel_getattr_proc(pulpcore_t)
kernel_search_proc(pulpcore_t)
kernel_list_proc(pulpcore_t)
kernel_getattr_proc_files(pulpcore_t)
kernel_read_proc_symlinks(pulpcore_t)
-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5
optional_policy(`
kerberos_use(pulpcore_t)
')
optional_policy(`
kerberos_read_keytab(pulpcore_t)
')
corenet_tcp_connect_kerberos_password_port(pulpcore_t)
For some reasons anything under /var/run
does not get trnaistion properly I haven't found the reason why yet
Updated by mdepaulo@redhat.com over 4 years ago
- Assignee set to mdepaulo@redhat.com
- Sprint set to Sprint 80
Updated by mdepaulo@redhat.com over 4 years ago
FYI, right now for RPM-based installs, a package (such as pulpcore-selinux
) gets installed:
https://github.com/pulp/pulp_installer/blob/master/roles/pulp_common/defaults/main.yml#L51
Updated by pulpbot about 4 years ago
- Status changed from NEW to POST
Updated by mdepaulo@redhat.com about 4 years ago
- Status changed from POST to ASSIGNED
Updated by mdepaulo@redhat.com about 4 years ago
- Related to Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment added
Updated by mdepaulo@redhat.com about 4 years ago
spredzy wrote:
Current SELinux policy (pulp/pulpcore-selinux) is missing some rules
-> SELinux is preventing /usr/libexec/platform-python3.6 from read access on the file stat
kernel_getattr_proc(pulpcore_t) kernel_search_proc(pulpcore_t) kernel_list_proc(pulpcore_t) kernel_getattr_proc_files(pulpcore_t) kernel_read_proc_symlinks(pulpcore_t)
-> SELinux is preventing /usr/libexec/platform-python3.6 from search access on the directory krb5
optional_policy(` kerberos_use(pulpcore_t) ') optional_policy(` kerberos_read_keytab(pulpcore_t) ') corenet_tcp_connect_kerberos_password_port(pulpcore_t)
For some reasons anything under
/var/run
does not get trnaistion properly I haven't found the reason why yet
This was addressed in pulpcore-selinux 1.1.0: https://github.com/pulp/pulpcore-selinux/releases/tag/1.1.0
This epic, as partially implemented, installs 1.1.x in pip mode via an internal variable for the version. And it installs the latest version (in the RPM repo) in RPM mode.
Therefore, this issue is resolved.
Updated by ipanova@redhat.com over 3 years ago
- Sprint changed from Sprint 101 to Sprint 102
Updated by rchan about 3 years ago
- Sprint changed from Sprint 105 to Sprint 106
Updated by rchan about 3 years ago
- Sprint changed from Sprint 106 to Sprint 107
Updated by rchan about 3 years ago
- Sprint changed from Sprint 107 to Sprint 108
Updated by rchan about 3 years ago
- Sprint changed from Sprint 108 to Sprint 109
Updated by rchan about 3 years ago
- Sprint changed from Sprint 109 to Sprint 110
Updated by rchan about 3 years ago
- Sprint changed from Sprint 110 to Sprint 111
Updated by rchan almost 3 years ago
- Sprint changed from Sprint 111 to Sprint 112