Issue #7922
closed
additional AVC denials
Description
I'm working on a feature for galaxy_ng where collections are imported and sanity tested in a container via podman. This resulted in additional avc denials in the audit log related to podman which need to be accounted for. I've attached a text file with the applicable section of log.
Files
Updated by dkliban@redhat.com over 3 years ago
Which Pulp API are you using when these AVC denials are produced?
Updated by bmclaugh over 3 years ago
This occurs when pulp_ansible is processing an uploaded collection [1] when galaxy_importer is configured to run ansible_test via Podman.
[1] https://github.com/pulp/pulp_ansible/blob/master/pulp_ansible/app/tasks/collections.py#L150
Updated by dkliban@redhat.com over 3 years ago
- Category deleted (
Installer - Moved to GitHub issues)
Updated by bmbouter over 3 years ago
I'm not sure Pulp can readily solve this problem because the calls don't occur from code Pulp maintains. Since galaxy_importer is having changes occur that require additional selinux updates, can you all reach out to the SELinux team to extend the policy https://github.com/pulp/pulpcore-selinux to handle those calls also? I'll message some sharing info about the process of how to do that.
.