Story #97
Updated by bmbouter over 7 years ago
The checklist items should be done top I asked a python developer on another project to bottom. try out a pulp dev install so we could get feedback. To compile and install the Pulp SELinux with vagrant ansible you will need to: <pre> * Install selinux-policy-devel rpm with ansible * Make the policy similar 1. Dev script does not allow for SELinux? That's going to <code>make NAME=celery -f /usr/share/selinux/devel/Makefile DISTRO=fedora24</code> except with ansible * Install be a no-go for people. Would it be possible just to poke a few holes in the policy just for pulp using ansible semanage permissive? E.g. Change apache to a permissive domain * Run some restorecon statements using ansible that mimic these[0] # semanage permissive -a pulp_t Use Alternatively, maybe you could provide a dev policy module built with audit2allow? I don't know what the <code>ps -awfuxZ | grep celery</code> to verify pulp policy looks like or what problems it hits or whatever, but just disabling SELinux wholesale is becoming not a great solution. </pre> There were some other issues as well but this was number one. The pulp dev setup should be runnable without disabling selinux on the celery_t security label type. Similarly httpd should get an httpd security type. Then do some testing with Pulp and SELinux enabled. [0]: https://github.com/pulp/pulp/blob/master/server/selinux/server/relabel.sh system.
.