Project

Profile

Help

Story #97

open

As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment

Added by cduryee about 9 years ago. Updated over 2 years ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Category:
Installer - Moved to GitHub issues
Sprint/Milestone:
-
Start date:
Due date:
% Done:

50%

Estimated time:
(Total: 0:00 h)
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
SELinux
Sprint:
Quarter:

Description

The real deliverables are in the checklist, but here is some extra info on how to compile it.

To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:

  • Install selinux-policy-devel rpm with ansible
  • Compile the policy similar to make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24 except with ansible
  • Install the policy using Ansible
  • Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.[0]
  • If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.

Use the ps -awfuxZ | grep celery to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.

[0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh


Sub-issues 2 (1 open1 closed)

Story #9007: As a vagrant user, I get an error if SELinux failedCLOSED - CURRENTRELEASEfao89

Actions
Issue #9211: Vagrant devel installs have SELinux errorsNEWActions

Related issues

Related to Pulp - Task #843: Make pulp-selinux versioned independently from pulp-serverCLOSED - WONTFIX

Actions
Related to Pulp - Story #7043: As a user, I have pulp_installer compile and install the pulpcore-selinux policyASSIGNEDmdepaulo@redhat.com

Actions
Has duplicate Pulp - Issue #2792: syncing an importer has SELinux denialsCLOSED - DUPLICATEActions
Blocked by Pulp - Story #3809: As a user, I can run Pulp 3 with SELinux enforcingCLOSED - CURRENTRELEASEbmbouter

Actions
Blocked by Pulp - Task #7575: pulp_installer's SELinux support should handle folder paths being changedNEW

Actions
Actions #1

Updated by rbarlow about 9 years ago

+1

Actions #2

Updated by bmbouter about 9 years ago

  • Tracker changed from Issue to Story
  • Subject changed from allow pulp dev setup to work with selinux enabled to Allow Pulp dev setup to work with SELinux enabled

I think the scope of the problem is a lot bigger than this story identifies. It's not just the pulp-dev.py script. The "developer layout" that pulp-dev.py produces will not run correctly with SELinux enabled [0]. Does this user expect to be able to develop Pulp with SELinux enabled? If so, that will not be so easy to accomplish.

Here's a recap of the thinking that got us here. The developer layout versus what an RPM lays out are substantially different. Poking holes in the production policy to allow for development activities doesn't make sense. This leads to the conclusion that for Pulp development to happen with SELinux enabled, Pulp would need a SELinux policy specifically for development. The first policy took a few weeks to write and test on all the platforms so it would likely take a similar level of effort to make a Pulp SELinux policy. Also any change in the developer layout will also need to have changes in the Pulp developer SELinux policy. Those changes need to be tested on all the platforms, so easy changes all of a sudden become a lot more painful. It would be good to have one, but we never could prioritize this activity in front of other more pressing work. I'm also not sure we can commit to maintaining such a thing. This caused me to document that Pulp can't be developed with SELinux enabled at this time.

https://pulp-dev-guide.readthedocs.org/en/latest/contributing/dev_setup.html?highlight=selinux#selinux

Actions #3

Updated by bmbouter almost 9 years ago

  • Related to Task #843: Make pulp-selinux versioned independently from pulp-server added
Actions #4

Updated by bmbouter almost 8 years ago

  • Related to deleted (Task #843: Make pulp-selinux versioned independently from pulp-server)
Actions #5

Updated by bmbouter almost 8 years ago

  • Parent issue set to #1826
Actions #6

Updated by bmbouter almost 8 years ago

  • Related to Task #843: Make pulp-selinux versioned independently from pulp-server added
Actions #7

Updated by bmbouter almost 8 years ago

  • Tags SELinux added
Actions #8

Updated by bmbouter almost 8 years ago

  • Parent issue deleted (#1826)
Actions #9

Updated by bmbouter over 7 years ago

  • Subject changed from Allow Pulp dev setup to work with SELinux enabled to Pulp vagrant environments should run with SELinux enabled
  • Description updated (diff)

I'm rewriting the contents of the bug with an engineering plan of how to accomplish the title.

Actions #10

Updated by bmbouter over 7 years ago

  • Sprint Candidate changed from No to Yes
Actions #11

Updated by bmbouter over 7 years ago

  • Description updated (diff)
Actions #12

Updated by dkliban@redhat.com over 7 years ago

  • Groomed changed from No to Yes
Actions #13

Updated by bmbouter almost 7 years ago

  • Has duplicate Issue #2792: syncing an importer has SELinux denials added
Actions #14

Updated by bmbouter almost 7 years ago

  • Subject changed from Pulp vagrant environments should run with SELinux enabled to As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment
  • Groomed changed from Yes to No
  • Tags Pulp 3 added

Rewriting to be Pulp3 specific. With active development occurring on Pulp3, it is not as useful to continue having this track the SELinux Vagrant issue for Pulp2.

Actions #15

Updated by amacdona@redhat.com almost 7 years ago

I would like to see all of this in a completely separate Ansible role.

Actions #16

Updated by bmbouter almost 7 years ago

  • Description updated (diff)

@asmacdo, I agree. I added a checklist item. I also removed two leftover checklist items from when I edited it earlier. I also updated the diff some too to reflect the update from earlier today.

Actions #17

Updated by amacdona@redhat.com over 5 years ago

  • Sprint Candidate changed from Yes to No
Actions #18

Updated by amacdona@redhat.com over 5 years ago

  • Blocked by Story #3809: As a user, I can run Pulp 3 with SELinux enforcing added
Actions #19

Updated by amacdona@redhat.com over 5 years ago

  • Tags Pulp 3 installer added
Actions #20

Updated by bmbouter almost 5 years ago

  • Tags deleted (Pulp 3)
Actions #21

Updated by bmbouter almost 4 years ago

  • Category set to Installer - Moved to GitHub issues
  • Tags deleted (Pulp 3 installer)
Actions #22

Updated by mdepaulo@redhat.com over 3 years ago

  • Related to Story #7043: As a user, I have pulp_installer compile and install the pulpcore-selinux policy added
Actions #23

Updated by mdepaulo@redhat.com over 3 years ago

  • Blocked by Task #7575: pulp_installer's SELinux support should handle folder paths being changed added
Actions #24

Updated by mdepaulo@redhat.com over 2 years ago

  • Blocked by Task #7575: pulp_installer's SELinux support should handle folder paths being changed added

Also available in: Atom PDF