Project

Profile

Help

Story #282

Updated by bmbouter almost 9 years ago

For Pulp to correctly operate, it expects the that /var/lib/pulp/* will have httpd_sys_rw_content_t file context. If you want to make /var/lib/pulp/ or some subdirectory of it hosted via NFS those files will receive the nfs_t label. This causes Pulp to not work correctly if you want to scale the /var/lib/pulp filesystem with NFS and be secure with SELinux in Enforcing. 


 To reproduce the issue: 

 0. Enable selinux to enforcing mode 
 1. Mount /var/lib/pulp via NFS 
 2. Try to sync or consume content 
 3. Observe the sync will fail and AVC denials will be present 

 SELinux will not allow Pulp to work due to incorrect file labels. 


 Deliverables: 

 1. Adjust the SELinux policy to have Pulp work if /var/lib/pulp has nfs_t using one of the potential solutions below. 
 2. Add documentation to the docs about when/how to set any booleans or restorecons or similar. This should be in a new section or subsection. 
 3. Add a release note about this change. 


 Potential Solutions: 

 One way to fix this would be "similar to what spacewalk did":https://github.com/spacewalkproject/spacewalk/blob/master/spacewalk/setup/bin/spacewalk-make-mount-points by introducing a spacewalk_nfs_mountpoint label or something similar. 

 Another way would be to use some sort of SELinux aliasing. 

 A third way to fix this would be to have our policy be nfs_t aware specifically for pulp content, but not other nfs_t directories. 

 Another way would be for the user to manually relabel with a restorecon statement that specifies the httpd_sys_rw_content_t label, but that would need to be tested to be sure that it won't interfere with nfs_t correct operation or that SELinux won't relabel it later. 

 Another way would be to use some sort of SELinux aliasing.

Back