Project

Profile

Help

Story #97

Updated by bmbouter almost 3 years ago

The checklist items should be done top I asked a python developer on another project to bottom. try out a pulp dev install so we could get feedback.

To compile and install the Pulp SELinux with vagrant ansible you will need to: <pre>
* Install selinux-policy-devel rpm with ansible
* Make the policy similar
1. Dev script does not allow for SELinux? That's going to <code>make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24</code> except with ansible
* Install
be a no-go for people. Would it be possible just to poke a few holes in the policy just for pulp using ansible semanage permissive? E.g.

Change apache to a permissive domain

* Run some restorecon statements using ansible that mimic these[0] # semanage permissive -a pulp_t

Use Alternatively, maybe you could provide a dev policy module built with audit2allow?

I don't know what
the <code>ps -awfuxZ | grep celery</code> to verify pulp policy looks like or what problems it hits or whatever, but just disabling SELinux wholesale is becoming not a great solution.
</pre>

There were some other issues as well but this was number one. The pulp dev setup should be runnable without disabling selinux on
the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled.

[0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh
system.

Back