Story #97: As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment - Pulp

Agile board
Agile charts

Agile boards

Pulp 2 QE Agile Board
Pulp 2 QE Agile Board - Priority View
Pulp 3 QE Agile Board
Pulp 3 RPM Tests Agile Board
Sprint 112 Agile Board

Custom queries

[All Projects] All Test Trackers
2.21.4 - Next Bugfix Release
2.21.4 MODIFIED
2.21.5
3.14.3
CI/CD
Easy Fix
FIPS open
Functional Tests
Galaxy NG
Groomed
Installer - Triage
Installer Items
Issues for Triage
Katello Integration
Next Docs Day
Operator issues
POST/ASSIGNED - no Sprint - Pulp2
POST/ASSIGNED - no Sprint - Pulp3
Prioritized Bugs
Pulp 3 Docs issues
Pulp2 issues available for next release
Pulpcore
SELinux related
Sprint 111
Sprint 112
Sprint Candidates (also groomed)
Un-Triaged Bugs
Verification Required

Actions

Send by e-mail Copy link

Story #97

open

As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment

Added by cduryee over 9 years ago. Updated over 2 years ago.

Status:

NEW

Priority:

Normal

Assignee:

Category:

Installer - Moved to GitHub issues

Sprint/Milestone:

Start date:

Due date:

% Done:

50%

Estimated time:

(Total: 0:00 h)

Platform Release:

Groomed:

Sprint Candidate:

Tags:

SELinux

Sprint:

Quarter:

Description

The real deliverables are in the checklist, but here is some extra info on how to compile it.

To compile and install the Pulp SELinux with Ansible for Vagrant you will need to:

Install selinux-policy-devel rpm with ansible
Compile the policy similar to make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24 except with ansible
Install the policy using Ansible
Have ansible call the restorecon script or fixfiles (see checklist item) so that all the right restorecon calls occur. Stay DRY with these calls if possible.[0]
If necessary, have the policy use "developer layout" .fc files to cause the .te compiled policies to be compatible with the layout used by Vagrant.

Use the ps -awfuxZ | grep celery to verify it is becoming the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.

[0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh

Sub-issues 2 (1 open — 1 closed)

Story #9007: As a vagrant user, I get an error if SELinux failed

CLOSED - CURRENTRELEASE

fao89

Actions

Issue #9211: Vagrant devel installs have SELinux errors

NEW

Actions

Related issues

Related to Pulp - Task #843: Make pulp-selinux versioned independently from pulp-server

CLOSED - WONTFIX

Actions

Related to Pulp - Story #7043: As a user, I have pulp_installer compile and install the pulpcore-selinux policy

ASSIGNED

mdepaulo@redhat.com

Actions

Has duplicate Pulp - Issue #2792: syncing an importer has SELinux denials

CLOSED - DUPLICATE

Actions

Blocked by Pulp - Story #3809: As a user, I can run Pulp 3 with SELinux enforcing

CLOSED - CURRENTRELEASE

bmbouter

Actions

Blocked by Pulp - Task #7575: pulp_installer's SELinux support should handle folder paths being changed

NEW

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by rbarlow over 9 years ago

Actions

Copy link

Updated by bmbouter over 9 years ago

Tracker changed from Issue to Story
Subject changed from allow pulp dev setup to work with selinux enabled to Allow Pulp dev setup to work with SELinux enabled

I think the scope of the problem is a lot bigger than this story identifies. It's not just the pulp-dev.py script. The "developer layout" that pulp-dev.py produces will not run correctly with SELinux enabled [0]. Does this user expect to be able to develop Pulp with SELinux enabled? If so, that will not be so easy to accomplish.

Here's a recap of the thinking that got us here. The developer layout versus what an RPM lays out are substantially different. Poking holes in the production policy to allow for development activities doesn't make sense. This leads to the conclusion that for Pulp development to happen with SELinux enabled, Pulp would need a SELinux policy specifically for development. The first policy took a few weeks to write and test on all the platforms so it would likely take a similar level of effort to make a Pulp SELinux policy. Also any change in the developer layout will also need to have changes in the Pulp developer SELinux policy. Those changes need to be tested on all the platforms, so easy changes all of a sudden become a lot more painful. It would be good to have one, but we never could prioritize this activity in front of other more pressing work. I'm also not sure we can commit to maintaining such a thing. This caused me to document that Pulp can't be developed with SELinux enabled at this time.

https://pulp-dev-guide.readthedocs.org/en/latest/contributing/dev_setup.html?highlight=selinux#selinux

Actions

Copy link

Updated by bmbouter about 9 years ago

Related to Task #843: Make pulp-selinux versioned independently from pulp-server added

Actions

Copy link

Updated by bmbouter about 8 years ago

Related to deleted (Task #843: Make pulp-selinux versioned independently from pulp-server)

Actions

Copy link

Updated by bmbouter about 8 years ago

Parent issue set to #1826

Actions

Copy link

Updated by bmbouter about 8 years ago

Related to Task #843: Make pulp-selinux versioned independently from pulp-server added

Actions

Copy link

Updated by bmbouter about 8 years ago

Tags SELinux added

Actions

Copy link

Updated by bmbouter about 8 years ago

Parent issue deleted (~~#1826~~)

Actions

Copy link

Updated by bmbouter over 7 years ago

Subject changed from Allow Pulp dev setup to work with SELinux enabled to Pulp vagrant environments should run with SELinux enabled
Description updated (diff)

I'm rewriting the contents of the bug with an engineering plan of how to accomplish the title.

Actions

Copy link

#10

Updated by bmbouter over 7 years ago

Sprint Candidate changed from No to Yes

Actions

Copy link

#11

Updated by bmbouter over 7 years ago

Description updated (diff)

Actions

Copy link

#12

Updated by dkliban@redhat.com over 7 years ago

Groomed changed from No to Yes

Actions

Copy link

#13

Updated by bmbouter almost 7 years ago

Has duplicate Issue #2792: syncing an importer has SELinux denials added

Actions

Copy link

#14

Updated by bmbouter almost 7 years ago

Subject changed from Pulp vagrant environments should run with SELinux enabled to As a contributor, I rest easy knowing SELinux is Enforcing in the Pulp3 Vagrant environment
Groomed changed from Yes to No
Tags Pulp 3 added

Rewriting to be Pulp3 specific. With active development occurring on Pulp3, it is not as useful to continue having this track the SELinux Vagrant issue for Pulp2.

Actions

Copy link

#15

Updated by amacdona@redhat.com almost 7 years ago

I would like to see all of this in a completely separate Ansible role.

Actions

Copy link

#16

Updated by bmbouter almost 7 years ago

Description updated (diff)

@asmacdo, I agree. I added a checklist item. I also removed two leftover checklist items from when I edited it earlier. I also updated the diff some too to reflect the update from earlier today.

Actions

Copy link

#17