Story #7075
closedAs a user I want Pulp to run on EL8 with SELinux enforced
100%
Description
As a user I want to be able to deploy Pulp on a vanilla CentOS8/RHEL8 box with SELinux enforced and things should just work. TM.
Updated by spredzy over 4 years ago
More info on what is not working available here: https://pulp.plan.io/issues/7043#note-3
Also file trnsition doesn't seem to work as expected. I would expect /var/run/pulpcore* to be with the pulpcore_t_var_run_t
context but it is labeled with var_run_t
[vagrant@localhost pulpcore-selinux]$ sesearch -t var_run_t -T | grep pulpcore
type_transition pulpcore_t var_run_t:dir pulpcore_var_run_t;
type_transition pulpcore_t var_run_t:file pulpcore_var_run_t;
type_transition pulpcore_t var_run_t:lnk_file pulpcore_var_run_t;
[vagrant@localhost pulpcore-selinux]$ ps faxZ | grep pulpcore_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 20575 pts/0 S+ 0:00 | \_ grep --color=auto pulpcore_t
system_u:system_r:pulpcore_t:s0 15992 ? Ss 0:00 /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 15997 ? S 0:02 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 15998 ? S 0:02 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.content:server --bind 127.0.0.1:24816 --worker-class aiohttp.GunicornWebWorker -w 2 --access-logfile -
system_u:system_r:pulpcore_t:s0 20416 ? Ss 0:00 /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20419 ? S 0:01 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20420 ? S 0:01 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20423 ? S 0:01 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
system_u:system_r:pulpcore_t:s0 20424 ? S 0:01 \_ /usr/local/lib/pulp/bin/python3 /usr/local/lib/pulp/bin/gunicorn pulpcore.app.wsgi:application --bind 127.0.0.1:24817 --workers 4 --access-logfile -
[vagrant@localhost pulpcore-selinux]$ ls -lZ /var/run/ | grep pulpcore-api
drwxr-xr-x. 2 pulp pulp system_u:object_r:var_run_t:s0 40 Jun 30 10:54 pulpcore-api
Updated by fao89 over 4 years ago
- Tracker changed from Issue to Story
- % Done set to 0
- Severity deleted (
2. Medium) - Triaged deleted (
No)
Updated by mdepaulo@redhat.com over 4 years ago
- Assignee set to mdepaulo@redhat.com
- Sprint set to Sprint 80
- Tags SELinux added
Updated by mdepaulo@redhat.com about 4 years ago
- Status changed from NEW to CLOSED - CURRENTRELEASE
This was implemented in pulpcore-selinux 1.1.0: https://github.com/pulp/pulpcore-selinux/tags
It addresses "install from RPM" mode, which the reporter was using. That mode by default installs pulpcore-selinux
as an RPM package. So the installer inherits the fix from the RPM repo, regardless of pulp_installer version.
"Install from pip" mode's support for installing pulpcore-selinux is still under development: https://pulp.plan.io/issues/7043