As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment
The real deliverables are in the checklist, but here is some extra info on how to compile it.To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:
- Install selinux-policy-devel rpm with ansible
- Compile the policy similar to
make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24except with ansible
- Install the policy using Ansible
- Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.
- If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.
ps -awfuxZ | grep celery to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.
#2 Updated by bmbouter over 4 years ago
- Tracker changed from Issue to Story
- Subject changed from allow pulp dev setup to work with selinux enabled to Allow Pulp dev setup to work with SELinux enabled
I think the scope of the problem is a lot bigger than this story identifies. It's not just the pulp-dev.py script. The "developer layout" that pulp-dev.py produces will not run correctly with SELinux enabled . Does this user expect to be able to develop Pulp with SELinux enabled? If so, that will not be so easy to accomplish.
Here's a recap of the thinking that got us here. The developer layout versus what an RPM lays out are substantially different. Poking holes in the production policy to allow for development activities doesn't make sense. This leads to the conclusion that for Pulp development to happen with SELinux enabled, Pulp would need a SELinux policy specifically for development. The first policy took a few weeks to write and test on all the platforms so it would likely take a similar level of effort to make a Pulp SELinux policy. Also any change in the developer layout will also need to have changes in the Pulp developer SELinux policy. Those changes need to be tested on all the platforms, so easy changes all of a sudden become a lot more painful. It would be good to have one, but we never could prioritize this activity in front of other more pressing work. I'm also not sure we can commit to maintaining such a thing. This caused me to document that Pulp can't be developed with SELinux enabled at this time.
#9 Updated by bmbouter almost 3 years ago
- Checklist item enable SELinux in vagrant environment on master and 3.0-dev added
- Checklist item Have vagrant+ansible compile the Pulp SELinux policy and install it added
- Checklist item verify that the celery processes and streamer are running with the expected security contexts added
- Checklist item Create some developer docs on how to compile and install the SELinux policy in case users need to do it manually added
- Subject changed from Allow Pulp dev setup to work with SELinux enabled to Pulp vagrant environments should run with SELinux enabled
- Description updated (diff)
I'm rewriting the contents of the bug with an engineering plan of how to accomplish the title.
#14 Updated by bmbouter over 2 years ago
- Subject changed from Pulp vagrant environments should run with SELinux enabled to As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment
- Groomed changed from Yes to No
- Tags Pulp 3 added
Rewriting to be Pulp3 specific. With active development occurring on Pulp3, it is not as useful to continue having this track the SELinux Vagrant issue for Pulp2.
Please register to edit this issue