Project

Profile

Help

Story #7075

closed

As a user I want Pulp to run on EL8 with SELinux enforced

Added by spredzy over 4 years ago. Updated about 4 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:
Sprint 84
Quarter:

Description

As a user I want to be able to deploy Pulp on a vanilla CentOS8/RHEL8 box with SELinux enforced and things should just work. TM.

Actions #1

Updated by spredzy over 4 years ago

More info on what is not working available here: https://pulp.plan.io/issues/7043#note-3

Also file trnsition doesn't seem to work as expected. I would expect /var/run/pulpcore* to be with the pulpcore_t_var_run_t context but it is labeled with var_run_t

[vagrant@localhost pulpcore-selinux]$ sesearch  -t var_run_t -T | grep pulpcore
type_transition pulpcore_t var_run_t:dir pulpcore_var_run_t;
type_transition pulpcore_t var_run_t:file pulpcore_var_run_t;
type_transition pulpcore_t var_run_t:lnk_file pulpcore_var_run_t;

[vagrant@localhost pulpcore-selinux]$ ps faxZ | grep pulpcore_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 20575 pts/0 S+   0:00  |           \_ grep --color=auto pulpcore_t
system_u:system_r:pulpcore_t:s0 15992 ?        Ss     0:00 /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 15997 ?        S      0:02  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 15998 ?        S      0:02  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 20416 ?        Ss     0:00 /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20419 ?        S      0:01  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20420 ?        S      0:01  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20423 ?        S      0:01  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20424 ?        S      0:01  \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -

[vagrant@localhost pulpcore-selinux]$ ls -lZ /var/run/ | grep pulpcore-api
drwxr-xr-x.  2 pulp     pulp     system_u:object_r:var_run_t:s0                  40 Jun 30 10:54 pulpcore-api
Actions #2

Updated by fao89 over 4 years ago

  • Tracker changed from Issue to Story
  • % Done set to 0
  • Severity deleted (2. Medium)
  • Triaged deleted (No)
Actions #3

Updated by mdepaulo@redhat.com over 4 years ago

  • Assignee set to mdepaulo@redhat.com
  • Sprint set to Sprint 80
  • Tags SELinux added
Actions #4

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 80 to Sprint 81
Actions #5

Updated by rchan over 4 years ago

  • Sprint changed from Sprint 81 to Sprint 82
Actions #6

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 82 to Sprint 83
Actions #7

Updated by rchan about 4 years ago

  • Sprint changed from Sprint 83 to Sprint 84
Actions #8

Updated by mdepaulo@redhat.com about 4 years ago

  • Status changed from NEW to CLOSED - CURRENTRELEASE

This was implemented in pulpcore-selinux 1.1.0: https://github.com/pulp/pulpcore-selinux/tags

It addresses "install from RPM" mode, which the reporter was using. That mode by default installs pulpcore-selinux as an RPM package. So the installer inherits the fix from the RPM repo, regardless of pulp_installer version.

"Install from pip" mode's support for installing pulpcore-selinux is still under development: https://pulp.plan.io/issues/7043

Actions #9

Updated by mdepaulo@redhat.com about 4 years ago

  • % Done changed from 0 to 100

Also available in: Atom PDF