Pulp

The policy expects the rq and gunicorn services to be started from their binaries in either of these paths: https://github.com/pulp/pulpcore-selinux/blob/master/pulpcore.fc#L11-L20

I see in the report the path /usr/bin/python3 /usr/bin/gunicorn so maybe that has something to do with them not receiving the right labels?

This is not something we control from an install perspective as a user

[root@localhost ansible-tower-setup-3.8.0-0.git20201006.37b3cc7]# systemctl cat pulpcore-api
# /usr/lib/systemd/system/pulpcore-api.service
[Unit]
Description=Pulp WSGI Server
After=network-online.target
Wants=network-online.target

[Service]
Environment="DJANGO_SETTINGS_MODULE=pulpcore.app.settings"
Environment="PULP_SETTINGS=/etc/pulp/settings.py"
Environment="PATH=/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
Environment="LD_LIBRARY_PATH=/opt/rh/rh-postgresql10/root/usr/lib64"
User=pulp
Group=pulp
PIDFile=/run/pulpcore-api.pid
RuntimeDirectory=pulpcore-api
ExecStart=/usr/bin/gunicorn pulpcore.app.wsgi:application \
          --bind 'unix:/var/run/pulpcore-api/pulpcore-api.sock' \
          --workers 4 \
          --access-logfile -

# This provides reconnect support for PostgreSQL and Redis. Without reconnect support, if either
# is not available at startup or becomes disconnected, this process will die and not respawn.
Restart=always
RestartSec=3

# Enables tracking of process resource consumption at a unit & cgroup level.
CPUAccounting=yes
MemoryAccounting=yes

# This directive is set to an absolute path in other Pulp units. Using an
# absolute path is an abuse of the directive, as it should be a relative path,
# not an absolute path. PIDFile is now used to ensure that PID files are laid
# out in a standard way. If this directive had any other effects, it is better
# to use the correct directive than to uncomment this.
# WorkingDirectory=/var/run/pulpcore-api/

[Install]
WantedBy=multi-user.target

Now if you are wondering where the /usr/bin/python3 comes from in the original ticket, its the shebang in /usr/bin/gunicorn

[root@localhost ansible-tower-setup-3.8.0-0.git20201006.37b3cc7]# cat /usr/bin/gunicorn 
#!/usr/bin/python3
# EASY-INSTALL-ENTRY-SCRIPT: 'gunicorn==20.0.4','console_scripts','gunicorn'
__requires__ = 'gunicorn==20.0.4'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('gunicorn==20.0.4', 'console_scripts', 'gunicorn')()
    )

One can run ln s /usr/bin/python3 /usr/bin/python-pulp and update the shebang of /usr/bin/gunicorn like that

[root@localhost ansible-tower-setup-3.8.0-0.git20201006.37b3cc7]# cat /usr/bin/gunicorn 
#!/usr/bin/python-pulp
# EASY-INSTALL-ENTRY-SCRIPT: 'gunicorn==20.0.4','console_scripts','gunicorn'
__requires__ = 'gunicorn==20.0.4'
import re
import sys
from pkg_resources import load_entry_point

if __name__ == '__main__':
    sys.argv[0] = re.sub(r'(-script\.pyw?|\.exe)?$', '', sys.argv[0])
    sys.exit(
        load_entry_point('gunicorn==20.0.4', 'console_scripts', 'gunicorn')()
    )

to be able to see the result

root      4190  0.0  0.1  12528   980 pts/0    S+   12:06   0:00  |                       \_ grep --color=auto pulpcore-api
pulp      4178  2.4  1.2 122984  6228 ?        Ss   12:06   0:00 /usr/bin/python-pulp /usr/bin/gunicorn pulpcore.app.wsgi:application --bind unix:/var/run/pulpcore-api/pulpcore-api.sock --workers 4 --access-logfile -
pulp      4181 22.8 16.3 276284 81560 ?        S    12:06   0:01  \_ /usr/bin/python-pulp /usr/bin/gunicorn pulpcore.app.wsgi:application --bind unix:/var/run/pulpcore-api/pulpcore-api.sock --workers 4 --access-logfile -
pulp      4183 22.5 16.3 276284 81680 ?        S    12:06   0:01  \_ /usr/bin/python-pulp /usr/bin/gunicorn pulpcore.app.wsgi:application --bind unix:/var/run/pulpcore-api/pulpcore-api.sock --workers 4 --access-logfile -
pulp      4185 22.3 16.3 276284 81680 ?        S    12:06   0:01  \_ /usr/bin/python-pulp /usr/bin/gunicorn pulpcore.app.wsgi:application --bind unix:/var/run/pulpcore-api/pulpcore-api.sock --workers 4 --access-logfile -
pulp      4186 22.3 16.3 276308 81672 ?        S    12:06   0:01  \_ /usr/bin/python-pulp /usr/bin/gunicorn pulpcore.app.wsgi:application --bind unix:/var/run/pulpcore-api/pulpcore-api.sock --workers 4 --access-logfile -

What's the output of

ls -lZ /usr/bin/{gunicorn,rq}

I suspect they may not have been labelled correctly.

Summarizing the discussion on IRC:

# ls -lZ /usr/bin/gunicorn /usr/bin/rq
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/gunicorn
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/rq

A restorecon did reset them.

The problem is https://github.com/theforeman/pulpcore-packaging/blob/faabec8978c1cd9166da3fb715b7a97b3080c19c/packages/pulpcore-selinux/pulpcore-selinux.spec#L60:

/sbin/fixfiles -R python3-pulpcore restore || :

This restores the contexts on python3-pulpcore, but /usr/bin/{gunicorn,rq} are owned by python3-gunicorn and /usr/bin/rq.

https://github.com/theforeman/pulpcore-packaging/pull/37 is an effort to introduce wrappers. That's probably the best place to address this.

ekohl is correct, I want the wrappers to be the permanent fix. I want to work with them on those.

If there is an urgent need, pulp_installer can do 1 of the following temporary fixes:

1. Have the installer create the wrappers; identical to what the packages create.
2. Have the installer run fixfiles on those paths. It's already running fixfiles as part of the SELinux support for pip mode anyway, #7574.

EDIT: Only # 2 will work at this very moment, because the pulpcore-selinux RPM package needs to be updated from 1.1.1 to 1.1.2 for # 1 to work properly: https://github.com/pulp/pulpcore-selinux/releases/tag/1.1.2

Per our IRC convo, I'm letting the updated packages get released. I just reviewed: https://github.com/theforeman/pulpcore-packaging/pull/38

By now pulpcore-selinux 1.1.3 has been released which contains the correct context. python3-pulpcore-3.7.1-2 contains the libexec wrappers. For convenience, I've submitted https://github.com/theforeman/pulpcore-packaging/pull/41 as a cherry pick to 3.6. That makes life easier in the Foreman Installer where the module still primarily 3.6 (since 3.7 was incomplete until yesterday).