Task #843
closedMake pulp-selinux versioned independently from pulp-server
0%
Description
The pulp-selinux policy should no longer be lock-step versioned with platform. By doing this pulp-selinux would only be upgraded if it is actually needed. Currently, even if the policy is the same between two versions of pulp, the pulp-selinux package is uninstalled and installed. This takes time even with the recent improvements in restorecon statements run at upgrade time.
This versioning should be independent at the rpm level so that when it is included as a dependency of pulp-server yum will recognize that the package is already installed if the version has not changed during a pulp-server upgrade. This likely will include moving the selinux things to its own spec file. Also inside the rpm, there are two SELinux policies named: pulp-server and pulp-celery. These also carry version information, and should match the version of the rpm that contains them. Today that is the case, but they all are set by the
There are still some open questions:
(1) Is moving the pulp-selinux definition to its own spec file the right thing to do or could we manage independent versions out of one spec file.
(2) Should the selinux code be moved into its own repo and treated like an independently versioned plugin? The builder could pull in the right version.
(3) How should users report SELinux issues? What version would they set? The pulp version where they experience the issue or the SELinux version directly?
We should be sure that whatever we do, we don't make it harder to resolve #97.
Related issues